github · owen-mc · Jun 12, 2026 · Jun 12, 2026
@@ -331,7 +331,7 @@ public void corrConds3(Object y) {
       x = new Object();
     }
     if(y instanceof String) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -341,7 +341,7 @@ public void corrConds4(Object y) {
       x = new Object();
     }
     if(!(y instanceof String)) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -351,23 +351,23 @@ public void corrConds5(Object y, Object z) {
       x = new Object();
     }
     if(y == z) {
-      x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
 
     Object x2 = null;
     if(y != z) {
       x2 = new Object();
     }
     if(y != z) {
-      x2.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x2.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
 
     Object x3 = null;
     if(y != z) {
       x3 = new Object();
     }
     if(!(y == z)) {
-      x3.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+      x3.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     }
   }
 
@@ -462,7 +462,7 @@ public void loopCorrTest2(boolean[] a) {
       cur = a[i];
       if (!prev) {
         // correctly guarded by !cur from the _previous_ iteration
-        x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+        x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
       } else {
         x = new Object();
       }
@@ -484,7 +484,7 @@ public void loopCorrTest3(String[] ss) {
           t = new Object();
         }
         // correctly guarded by t: null -> String -> Object
-        x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+        x.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
       }
     }
   }
@@ -573,7 +573,7 @@ public void testFinally2(int[] xs) {
       } finally {
       }
     }
-    s.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
+    s.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive
     // CFG reachability does not distinguish abrupt successors
   }
 }
@@ -6,8 +6,8 @@ public void ex1(long[][][] a1, int ix, int len) {
     long[][] a2 = null;
     boolean haveA2 = ix < len && (a2 = a1[ix]) != null;
     long[] a3 = null;
-    final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
-    if (haveA3) a3[0] = 0; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    if (haveA3) a3[0] = 0; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
   }
 
   public void ex2(boolean x, boolean y) {
@@ -18,7 +18,7 @@ public void ex2(boolean x, boolean y) {
       s2 = (s1 == null) ? null : "";
     }
     if (s2 != null)
-      s1.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      s1.hashCode(); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
   }
 
   public void ex3(List<String> ss) {
@@ -48,7 +48,7 @@ public void ex4(Iterable<String> list, int step) {
         slice = new ArrayList<>();
         result.add(slice);
       }
-      slice.add(str); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      slice.add(str); // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       ++index;
       iter.remove();
     }
@@ -141,7 +141,7 @@ public void ex9(boolean cond, Object obj1) {
   public void ex10(int[] a) {
     int n = a == null ? 0 : a.length;
     for (int i = 0; i < n; i++) {
-      int x = a[i]; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      int x = a[i]; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       if (x > 7)
         a = new int[n];
     }
@@ -216,7 +216,7 @@ public void ex15(Object o1, Object o2) {
     if (o1 == o2) {
       return;
     }
-    if (o1.equals(o2)) { // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+    if (o1.equals(o2)) { // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
       return;
     }
   }
@@ -230,7 +230,7 @@ private Object getFoo16() {
   public static void ex16(C c) {
     int[] xs = c.getFoo16() != null ? new int[5] : null;
     if (c.getFoo16() != null) {
-      xs[0]++; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive
+      xs[0]++; // $ SPURIOUS: Alert[java/dereferenced-value-may-be-null] // NPE - false positive
     }
   }
 

@@ -11,25 +11,25 @@ void test(boolean bb)
 	{
 		int x = 0, y;
 		int[] branches = new int[10];
-		
+
 		// If-then statement
-		
+
 		if(1==1)
 		{
 			f();
 		}
 			g();	// No alert
-			
-		if(1==1)	
+
+		if(1==1)
 			f();
 		g();		// No alert
-		
+
 		if(1==1)
 			f(); // $ Alert
-			g();	// Alert
-			
+			g();
+
 		if(1==1)
-			f();	g();	// $ Alert // Alert
+			f();	g();	// $ Alert
 
 		// If-then-else statement
 
@@ -41,29 +41,29 @@ void test(boolean bb)
 		{
 			g();
 		}
-		
+
 			g();	// No alert
-			
+
 		if(1==2)
 			f();
 		else
 			g();
 		f();		// No alert
-			
+
 		if(true)
 		{
 			f();
 		}
 		else
 			f(); // $ Alert
-			g();	// Alert
-			
+			g();
+
 		if(true)
 		{
 			f();
 		}
 		else
-			f();  g();	// $ Alert // Alert
+			f();  g();	// $ Alert
 
 		// While statement
 
@@ -80,44 +80,44 @@ void test(boolean bb)
 
 		while(bb   )
 			f(); // $ Alert
-			g();		// Alert
+			g();
 			g();		// No alert
 
 		while(bb   )
-			f();	g();		// $ Alert // Alert
+			f();	g();		// $ Alert
 
 
 		while(bb)
 			if (x != 0) x = 1;
 
 		// Do-while statement
-		
+
 		do
 			f();
 		while(false);
 			g();	// No alert
-		
+
 		// For statement
 		for(int i=0; i<10; ++i)
 		{
 			f();
 		}
 			g();
-			
+
 		for(int i=0; i<10; ++i)
 			f();
 		g();
-		
+
 		for(int i=0; i<10; ++i)
 			f(); // $ Alert
-			g();				// Alert
+			g();
 
 		for(int i=0; i<10; ++i)
-			f(); g();			// $ Alert // Alert
+			f(); g();			// $ Alert
+
 
-
 		// Foreach statement
-		
+
 		for( int b : branches)
 			x += b;
 		f();
@@ -130,42 +130,42 @@ void test(boolean bb)
 
 		for( int b : branches)
 			f(); // $ Alert
-			g();			// Alert
+			g();
 
 		for( int b : branches)
-			f(); g();		// $ Alert // Alert
+			f(); g();		// $ Alert
 
 		// Nested ifs
 		if( true )
 		if(false)
 			f();
 		g();	// No alert
-		
+
 		if( true )
 			if(false) // $ Alert
 				f();
-			g();	// Alert
-		
+			g();
+
 		if( true )
 			;
-		else 
+		else
 		if (false)
 			f();
 		g();	// No alert
 
 		if( true )
 			;
-		else 
+		else
 			if (false)
 				f();
-			g();	// false negative
+			g();  // $ MISSING: Alert // false negative
 
 		if( true )
 			;
 		else if (false)
 			f();  // $ Alert
-			g();	// Alert
-		
+			g();
+
 		// Nested combinations
 		if (true)
 		while (x<10)
@@ -175,7 +175,7 @@ else if (false)
 		if (true)
 			while (x<10) // $ Alert
 				f();
-			g();	// Alert
+			g();
 
 		while (x<10)
 		if (true)
@@ -185,7 +185,7 @@ else if (false)
 		while (x<10)
 			if (true) // $ Alert
 				f();
-			g();	// Alert
+			g();
 
 		if (true)
 			f();

@@ -62,10 +62,10 @@ public void sanitizerTests(HttpServletRequest request, HttpServletResponse respo
 		response.setHeader("h", t.replace('\n', ' ').replace('\r', ' '));
 
 		// FALSE NEGATIVE: replace only some line breaks
-		response.setHeader("h", t.replace('\n', ' '));
+		response.setHeader("h", t.replace('\n', ' ')); // $ MISSING: Alert
 
 		// FALSE NEGATIVE: replace only some line breaks
-		response.setHeader("h", t.replaceAll("\r", ""));
+		response.setHeader("h", t.replaceAll("\r", "")); // $ MISSING: Alert
 
 		// GOOD: replace all linebreaks with a simple regex
 		response.setHeader("h", t.replaceAll("\n", "").replaceAll("\r", ""));

@@ -78,7 +78,7 @@ public void main(String[] args) {
 				// FALSE NEGATIVE: stillTainted could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillTainted + 100;
+				int output = stillTainted + 100; // $ MISSING: Alert[java/tainted-arithmetic]
 			}
 		}
 
@@ -107,7 +107,7 @@ public void main(String[] args) {
 			}
 			int output = data + 1;
 		}
-		
+
 		{
 			double x= Double.MAX_VALUE;
 			// OK: CWE-190 only pertains to integer arithmetic

@@ -84,7 +84,7 @@ public static void main(String[] args) {
 			// FALSE POSITIVE: the query check purely based on the type, it
 			// can't try to
 			// determine whether the value may in fact always be in bounds
-			i += j; // $ Alert[java/implicit-cast-in-compound-assignment]
+			i += j; // $ SPURIOUS: Alert[java/implicit-cast-in-compound-assignment]
 		}
 
 		// ArithmeticWithExtremeValues
@@ -224,7 +224,7 @@ public static void main(String[] args) {
 				// FALSE NEGATIVE: stillLarge could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillLarge + 100;
+				int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]
 			}
 		}
 
@@ -263,7 +263,7 @@ public static void main(String[] args) {
 				// FALSE NEGATIVE: stillLarge could still be very large, even
 				// after
 				// it has had arithmetic done on it
-				int output = stillLarge + 100;
+				int output = stillLarge + 100; // $ MISSING: Alert[java/uncontrolled-arithmetic]
 			}
 		}