Coverity static analysis, Dereference after null check, KeyStoreService (elytron-subsystem) -------------------------------------------------------------------------------------------- Key: WFLY-8104 URL: https://issues.jboss.org/browse/WFLY-8104 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Ilia Vassilev Priority: Critical Coverity found 2 possible occurences of dereferencing null. https://scan7.coverity.com/reports.htm#v23632/p12663/fileInstanceId=95644... https://scan7.coverity.com/reports.htm#v23632/p12663/fileInstanceId=95644... {code:java} private char[] resolvePassword() throws Exception { ExceptionSupplier<CredentialSource, Exception> sourceSupplier = credentialSourceSupplier.getValue(); CredentialSource cs = sourceSupplier != null ? sourceSupplier.get() : null; if (cs != null) { return cs.getCredential(PasswordCredential.class).getPassword(ClearPassword.class).getPassword(); } else { throw ROOT_LOGGER.keyStorePasswordCannotBeResolved(resolvedPath.getPath()); } } {code} Both {{getCredential(Class<C> credentialType)}} and {{getPassword(Class<P> type)}} have in javadoc mentioned return value can be null. Also in org.wildfly.security.auth.realm.ldap.SimpleDirContextFactoryBuilder.SimpleDirContextFactory.obtainDirContext(org.wildfly.security.auth.realm.ldap.DirContextFactory.ReferralMode) returned value are explicitely checked on null value. Add null check also in {{resolvePassword()}} method