Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron) ----------------------------------------------------------------------------------------- Key: ELY-954 URL: https://issues.jboss.org/browse/ELY-954 Project: WildFly Elytron Issue Type: Bug Components: Credential Store Reporter: Martin Choma Assignee: Ilia Vassilev Priority: Critical Coverity found possible dereferencing of null value returned from {{resolveSSLContext()}} in {{openConnection()}} https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=95640... {code:java|title=OAuth2CredentialSource.java} private SSLContext resolveSSLContext() { if (!isHttps(tokenEndpointUri)) { return null; } return sslContextSupplier == null ? null : sslContextSupplier.get(); } private HttpURLConnection openConnection() throws IOException { log.debugf("Opening connection to [%s]", tokenEndpointUri); HttpURLConnection connection = (HttpURLConnection) tokenEndpointUri.openConnection(); if (isHttps(tokenEndpointUri)) { HttpsURLConnection https = (HttpsURLConnection) connection; https.setSSLSocketFactory(resolveSSLContext().getSocketFactory()); if (hostnameVerifierSupplier != null) { https.setHostnameVerifier(checkNotNullParam("hostnameVerifier", hostnameVerifierSupplier.get())); } } return connection; } {code} NPE could probably happen if {{oauth2-introspection}} is configured with no {{client-ssl-context}} and https {{introspection-url}}.