Skip to content

[java] HardCodedCryptoKey: NPE when constants from parent class are used #6191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 30, 2025
Merged

[java] HardCodedCryptoKey: NPE when constants from parent class are used #6191

merged 2 commits into from
Oct 30, 2025
+31 −2

Conversation

@zbynek
Copy link
Contributor

@zbynek zbynek commented Oct 30, 2025
edited by adangel
Loading

Describe the PR

Rule: HardCodedCryptoKey

Adds a null check in case the accessed field is not defined in the current class. When the null check fails, check if the field is a compile time constant.

The changed code is shared with InsecureCryptoIv, the fix applies to both rules.

For reference, the fixed NPE stacktrace 
[WARNING] Exception applying rule HardCodedCryptoKey on file /home/mag/project/civitas-ng/civitas.externalcrypto/src/test/java/civitas/crypto/CryptoBaseTest.java, continuing with next rule
org.apache.commons.lang3.exception.ContextedRuntimeException: java.lang.NullPointerException: Cannot invoke "net.sourceforge.pmd.lang.java.ast.ASTVariableId.getInitializer()" because "varDecl" is null
Exception Context:
        [1:Rule applied on node=!debug only! [ConstructorCall:82:28]new SecretKeySpec(SOMESTRING.getBytes(), SHARED_KEY_ALG)]
---------------------------------
    at net.sourceforge.pmd.util.AssertionUtil.contexted (AssertionUtil.java:257)
    at net.sourceforge.pmd.lang.rule.internal.RuleApplicator.applyOnIndex (RuleApplicator.java:79)
    at net.sourceforge.pmd.lang.rule.internal.RuleApplicator.apply (RuleApplicator.java:57)
    at net.sourceforge.pmd.lang.rule.internal.RuleSets.apply (RuleSets.java:183)
    at net.sourceforge.pmd.lang.impl.PmdRunnable.processSource (PmdRunnable.java:140)
    at net.sourceforge.pmd.lang.impl.PmdRunnable.run (PmdRunnable.java:80)
    at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:572)
    at java.util.concurrent.FutureTask.run (FutureTask.java:317)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1144)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:642)
    at java.lang.Thread.run (Thread.java:1583)
Caused by: java.lang.NullPointerException: Cannot invoke "net.sourceforge.pmd.lang.java.ast.ASTVariableId.getInitializer()" because "varDecl" is null
    at net.sourceforge.pmd.lang.java.rule.security.AbstractHardCodedConstructorArgsVisitor.validateProperKeyArgument (AbstractHardCodedConstructorArgsVisitor.java:68)
    at net.sourceforge.pmd.lang.java.rule.security.AbstractHardCodedConstructorArgsVisitor.visit (AbstractHardCodedConstructorArgsVisitor.java:35)
    at net.sourceforge.pmd.lang.java.rule.security.HardCodedCryptoKeyRule.visit (HardCodedCryptoKeyRule.java:14)
    at net.sourceforge.pmd.lang.java.ast.ASTConstructorCall.acceptVisitor (ASTConstructorCall.java:34)
    at net.sourceforge.pmd.lang.java.ast.AbstractJavaNode.acceptVisitor (AbstractJavaNode.java:38)
    at net.sourceforge.pmd.lang.java.rule.AbstractJavaRule.apply (AbstractJavaRule.java:30)
    at net.sourceforge.pmd.lang.rule.RuleReference.apply (RuleReference.java:413)
    at net.sourceforge.pmd.lang.rule.internal.RuleApplicator.applyOnIndex (RuleApplicator.java:77)
    at net.sourceforge.pmd.lang.rule.internal.RuleApplicator.apply (RuleApplicator.java:57)
    at net.sourceforge.pmd.lang.rule.internal.RuleSets.apply (RuleSets.java:183)
    at net.sourceforge.pmd.lang.impl.PmdRunnable.processSource (PmdRunnable.java:140)
    at net.sourceforge.pmd.lang.impl.PmdRunnable.run (PmdRunnable.java:80)
    at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:572)
    at java.util.concurrent.FutureTask.run (FutureTask.java:317)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1144)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:642)
    at java.lang.Thread.run (Thread.java:1583)

Related issues

reported in discussion #6186

Ready?

  • Added unit tests for fixed bug/feature
  • Passing all unit tests
  • Complete build ./mvnw clean verify passes (checked automatically by github actions)
  • Added (in-code) documentation (if needed)

@pmd-actions-helper
Copy link
Contributor

pmd-actions-helper bot commented Oct 30, 2025
edited
Loading

Documentation Preview

No regression tested rules have been changed.

(comment created at 2025-10-30 12:10:05+00:00 for f412ba4)

@adangel adangel added this to the 7.18.0 milestone Oct 30, 2025
adangel
adangel approved these changes Oct 30, 2025
View reviewed changes
Copy link
Member

@adangel adangel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@adangel adangel added the a:bug PMD crashes or fails to analyse a file. label Oct 30, 2025
@adangel adangel changed the title [java] HardCodedCryptoKey: report constants from parent class [java] HardCodedCryptoKey: NPE when constants from parent class are used Oct 30, 2025
@adangel adangel merged commit 39be706 into pmd:main Oct 30, 2025
1 check passed
magwas pushed a commit to magwas/pmd that referenced this pull request Nov 1, 2025
@adangel @magwas
[doc] Update release notes (pmd#6191)
fd35917
@magwas magwas mentioned this pull request Nov 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adangel adangel adangel approved these changes

Assignees

No one assigned

Labels

a:bug PMD crashes or fails to analyse a file.

Projects

None yet

Milestone

7.18.0

Development

Successfully merging this pull request may close these issues.

2 participants

@zbynek @adangel