codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

False positive: Dereferenced variable may be null ignore NRT attributes

Open Euan-McVie opened this issue 1 month ago • 2 comments

Description of the false positive

NRT attributes appear to be ignored by CodeQL. This results in lots of noise as we have to explicitly mark each point of use as a false positive and so safe.

Code samples or links to source code

      if (TryConvertContractState(tradingPhase, state, out Models.ContractState? contractState))
            return contractState.Value;

when it is defined as:

    private static bool TryConvertContractState(
        string tradingPhase, string state,
        [NotNullWhen(true)] out PersistedModels.ContractState? cdmState)
    {}

URL to the alert on GitHub code scanning (optional)

Private Repo, but the view query source goes to: https://github.com/github/codeql/blob/aa3000df1310b332ba1c84afec3bacb0aeb4dbbd/csharp/ql/src/CSI/NullMaybe.ql

Euan-McVie avatar Nov 12 '25 18:11 Euan-McVie

Related unresolved issue from 2020: https://github.com/github/codeql/issues/2774 for DoesNotReturn attribute has a comment that suggests that for these attributes "We shall look into fixing this."

Euan-McVie avatar Nov 12 '25 18:11 Euan-McVie

Hi @Euan-McVie,

Thanks for your report. Since 2020 priorities have shifted somewhat, and resolving false positive reports is not a current product priority. We acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

jketema avatar Nov 13 '25 09:11 jketema