Incorrect `null` handling in `if` conditions and elsewhere

### The problem

In the Painless scripting language it is an error for the result of an `if` condition to be `null`. This matches Java but differs from many other languages, in which `null` is falsy.

The [null safe operator `?.`](https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-operators-reference.html#null-safe-operator) is often used to attempt field access or method invocation on objects that may be `null`, but it doesn't turn `null`s in to non-`null`s.

After [discovering](https://github.com/elastic/integrations/pull/8556#discussion_r1411958464) incorrect `null` handling in my own code, I checked elsewhere and found many other occurrences.

<details>
<summary>Demonstration of the problem in an <code>if</code> statement</summary>

```
POST _scripts/painless/_execute
{
  "script": {
    "params": {
      "condition": null
    },
    "source": """
      if (params?.condition) {
        return "it was true";
      } else {
        return "it was false";
      }
    """
  }
}
```

</details>

<details>
<summary>Demonstration of the problem in an <code>if</code> processor option</summary>

```
PUT _ingest/pipeline/my-pipeline
{
  "processors": [
    {
      "set": {
        "field": "testfield",
        "value": "it was true",
        "if": "ctx?.condition"
      }
    }
  ]
}

POST _ingest/pipeline/my-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "condition": null
      }
    }
  ]
}
```

</details>

### Identified cases

In 3431bbea785a10b3849bdc1899896e5a723f22a8 I looked for lines with an `if` condition, the null safe operator, and without an equality or `instanceof` check:
```
ag -G '\.(yml|hbs)' 'if.*\?\.' | grep -v '==' | grep -v '!=' | grep -v instanceof
```
And also for lines with a `for` loop and the null safe operator:
```
ag -G '\.(yml|hbs)' 'for ?\(.*\?\.'
```

About half of the candidates were actual problems: 225 lines spread across 39 integrations.

<details>
<summary>Summary of identified cases</summary>

```
     37 lastpass
     36 nagios_xi
     16 cisco_ise
     13 zeek
     13 cisco_secure_endpoint
     12 ping_one
      9 zoom
      8 panw_cortex_xdr
      7 juniper_srx
      7 aws
      5 hid_bravura_monitor
      5 cisco_nexus
      4 trendmicro
      4 proofpoint_tap
      4 github
      4 box_events
      4 atlassian_jira
      4 atlassian_confluence
      3 jamf_compliance_reporter
      3 infoblox_nios
      2 tenable_sc
      2 pfsense
      2 mimecast
      2 fortinet_fortigate
      2 cloudflare_logpush
      2 cloudflare
      2 cisco_asa
      2 atlassian_bitbucket
      1 vectra_detect
      1 ti_cif3
      1 suricata
      1 salesforce
      1 microsoft_defender_endpoint
      1 mattermost
      1 elasticsearch
      1 elastic_package_registry
      1 cyberarkpas
      1 cisco_meraki
      1 cisco_ftd

    225 TOTAL
```

</details>

<details>
<summary>List of identified cases</summary>

```
packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:376:          for (def j = 0; j < ctx.bitbucket?.audit?.affected_objects.length; j++) {
packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:396:          for (def j = 0; j < ctx.bitbucket?.audit?.changed_values.length; j++) {
packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml:59:            for (def j = 0; j < ctx.confluence?.audit?.affected_objects.length; j++) {
packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml:67:            for (def j = 0; j < ctx.confluence?.audit?.changed_values.length; j++) {
packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:296:          for (def j = 0; j < ctx.confluence?.audit?.affected_objects.length; j++) {
packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:345:          for (def j = 0; j < ctx.confluence?.audit?.changed_values.length; j++) {
packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml:54:            for (def j = 0; j < ctx.jira?.audit?.affected_objects.length; j++) {
packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/cloud.yml:62:            for (def j = 0; j < ctx.jira?.audit?.changed_values.length; j++) {
packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:308:          for (def j = 0; j < ctx.jira?.audit?.affected_objects.length; j++) {
packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:327:          for (def j = 0; j < ctx.jira?.audit?.changed_values.length; j++) {
packages/aws/data_stream/cloudfront_logs/elasticsearch/ingest_pipeline/default.yml:168:      if: ctx.http?.response?.status_code >= 400
packages/aws/data_stream/cloudfront_logs/elasticsearch/ingest_pipeline/default.yml:172:      if: ctx.http?.response?.status_code < 400 && ctx.http?.response?.status_code > 000
packages/aws/data_stream/route53_public_logs/elasticsearch/ingest_pipeline/default.yml:56:      if: '!ctx._tmp?.question.endsWith("in-addr.arpa")'
packages/aws/data_stream/route53_resolver_logs/elasticsearch/ingest_pipeline/default.yml:228:      if(ctx.dns?.question?.name.contains(".in-addr.arpa")) {
packages/aws/data_stream/route53_resolver_logs/elasticsearch/ingest_pipeline/default.yml:235:      } else if (ctx.dns?.question?.name.contains(".ip6.arpa")) {
packages/aws/data_stream/route53_resolver_logs/elasticsearch/ingest_pipeline/default.yml:60:    if: '!ctx.json?.query_name.endsWith("in-addr.arpa") && !ctx.json?.query_name.endsWith("ip6.arpa")'
packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml:28:      if: 'ctx.event?.original.startsWith("version") || ctx.event?.original.startsWith("instance-id")'
packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml:708:        if (ctx.event?.action.equals("SHIELD_ALERT")) {
packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml:742:        for (session in ctx.box.additional_details?.shield_alert?.alert_summary?.sessions) {
packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml:743:          if (session.session_type?.equals("suspicious")) {
packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml:786:        for (alert_activity in ctx.box.additional_details?.shield_alert?.alert_summary?.alert_activities) {
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2483:          } else if (ctx?.event?.action.startsWith('connection-')) {
packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2502:        } else if (ctx?.event?.action.startsWith('connection-')) {
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml:2117:      if: "ctx?.tags?.contains('private_is_internal') &&
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml:13:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml:13:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml:16:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml:13:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml:13:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml:16:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml:13:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml:14:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml:19:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml:16:      if: ctx.cisco_ise?.log?.segment?.number > 0
packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/events.yml:44:    if: ctx?.msgtype.startsWith("type=")
packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml:19:      if: "['VSHD_SYSLOG_CONFIG_I','DETECT_MULTIPLE_PEERS','UPDOWN','CFGWRITE_STARTED','LINEPROTO'].contains(ctx.event?.code.toUpperCase())"
packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml:30:      if: "['SYSTEM_MSG'].contains(ctx.event?.code.toUpperCase())"
packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml:41:      if: "['INVAL_IP','L2FM_MAC_MOVE2','DUPLEX_MISMATCH','NATIVE_VLAN_MISMATCH','THRESHOLD_VIOLATION'].contains(ctx.event?.code.toUpperCase())"
packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml:51:      if: "['LOGIN_SUCCESS','LOGOUT','LOGOUT_C6K'].contains(ctx.event?.code.toUpperCase())"
packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml:6:      if: "['IF_DOWN_ADMIN_DOWN','IF_ADMIN_UP','SPEED','IF_DUPLEX','IF_RX_FLOW_CONTROL','IF_TX_FLOW_CONTROL','IF_UP','IF_XCVR_WARNING'].contains(ctx.event?.code.toUpperCase())"
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:135:        for (technique in ctx?.cisco?.secure_endpoint?.techniques) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:137:                if (!ctx?.threat.technique.name.contains(technique.name)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:142:                if (!ctx?.threat.technique.id.contains(technique.external_id)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:147:                if (!ctx?.threat.technique.reference.contains(technique.mitre_url)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:171:        for (tactic in ctx?.cisco?.secure_endpoint?.tactics) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:173:                if (!ctx?.threat.tactic.name.contains(tactic.name)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:178:                if (!ctx?.threat.tactic.id.contains(tactic.external_id)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:183:                if (!ctx?.threat.tactic.reference.contains(tactic.mitre_url)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:217:        if (nameArray?.length > 0) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:529:        for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:531:                if (!ctx?.related?.ip.contains(addr.ip)) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:546:        for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) {
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml:548:                if (!ctx?.cisco?.secure_endpoint?.related?.mac.contains(addr.mac)) {
packages/cloudflare/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:40:      if: ctx.json?.action?.result
packages/cloudflare/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:44:      if: "!ctx.json?.action?.result"
packages/cloudflare_logpush/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:76:      if: ctx.json?.ActionResult
packages/cloudflare_logpush/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:80:      if: '!ctx.json?.ActionResult'
packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:351:      if: 'ctx.event?.severity > 6'
packages/elastic_package_registry/data_stream/metrics/elasticsearch/ingest_pipeline/default.yml:76:      if: ctx?.package_registry?.containsKey("start_time_seconds")
packages/elasticsearch/data_stream/audit/elasticsearch/ingest_pipeline/pipeline-json.yml:13:      if: '!ctx.elasticsearch.audit.containsKey("type") && !["rest", "transport", "ip_filter", "security_config_change"].contains(ctx.elasticsearch?.audit?.event?.type)'
packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml:68:        for (def i = 0; i < arr?.length; i++) {
packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/event.yml:203:      if: ctx.rule?.description.startsWith('Dynamic address updated')
packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:107:      if: ctx.event?.action.startsWith("org.")
packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:191:      if: 'ctx._temp?.action.contains("create") || ctx._temp?.action.contains("add")'
packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:195:      if: 'ctx._temp?.action.contains("delete") || ctx._temp?.action.contains("remove")'
packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:97:      if: ctx.event?.action.startsWith("team.")
packages/hid_bravura_monitor/data_stream/log/elasticsearch/ingest_pipeline/default.yml:27:      if: ctx?.msg.contains('last message repeated')
packages/hid_bravura_monitor/data_stream/log/elasticsearch/ingest_pipeline/default.yml:37:      if: ctx?.log?.level.contains('Perf')
packages/hid_bravura_monitor/data_stream/log/elasticsearch/ingest_pipeline/default.yml:42:      if: ctx?.log?.level.contains('Perf')
packages/hid_bravura_monitor/data_stream/log/elasticsearch/ingest_pipeline/default.yml:45:      if: ctx?.log?.level.contains('Perf')
packages/hid_bravura_monitor/data_stream/log/elasticsearch/ingest_pipeline/default.yml:61:      if: ctx?.log?.level.contains('Perf')
packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml:115:        for(data in ctx.dns?.answers?.data){
packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml:132:        for(name in ctx.dns?.answers?.name){
packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml:90:        for (def i = 0; i < arr?.length; i++) {
packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml:137:        for (Map.Entry m : ctx.json?.args.entrySet()) {
packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml:43:        for (Map.Entry m : ctx.json?.args.entrySet()) {
packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml:266:        for (Map.Entry m : ctx.json?.args.entrySet()) {
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:29:    if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:36:    if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:42:    if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:46:    if: "ctx.juniper?.srx?.tag.endsWith('CREATE') || ctx.juniper?.srx?.tag.endsWith('UPDATE') || ctx.juniper?.srx?.tag.endsWith('CREATE_LS') || ctx.juniper?.srx?.tag.endsWith('UPDATE_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:50:    if: "ctx.juniper?.srx?.tag.endsWith('CLOSE') || ctx.juniper?.srx?.tag.endsWith('CLOSE_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/flow.yml:54:    if: "ctx.juniper?.srx?.tag.endsWith('DENY') || ctx.juniper?.srx?.tag.endsWith('DENY_LS')"
packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/ids.yml:73:    if: "ctx.juniper?.srx?.attack_name.startsWith('Tunnel')"
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:146:      if: ctx.event?.action?.contains('deleted sites')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:152:      if: ctx.event?.action?.contains('employee invited') || ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('employee account deleted')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:161:          if (ctx.event?.action?.contains('limit shared folder')) {
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:168:      if: ctx.event?.action?.contains('log in')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:174:      if: ctx.event?.action?.contains('saml login')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:180:      if: ctx.event?.action?.contains('failed login attempt')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:186:      if: ctx.event?.action?.contains('login to admin console') || ctx.event?.action?.contains('make admin') || ctx.event?.action?.contains('remove admin') || ctx.event?.action?.contains('require password change') || ctx.event?.action?.contains('master password reset by super admin')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:192:      if: ctx.event?.action?.contains('site added')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:198:      if: ctx.event?.action?.contains('created shared folder') || ctx.event?.action?.contains('deleted shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:204:      if: ctx.event?.action?.contains('add secure note') || ctx.event?.action?.contains('open secure note')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:211:      if: ctx.event?.action?.contains('edit secure note')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:217:      if: ctx.event?.action?.contains('add to shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:223:      if: ctx.event?.action?.contains('create group')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:229:      if: ctx.event?.action?.contains('adding user to group')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:235:      if: ctx.event?.action?.contains('created lastpass account')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:241:      if: ctx.event?.action?.contains('update folder permissions')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:247:      if: ctx.event?.action?.contains('renamed shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:253:      if: ctx.event?.action?.contains('move to shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:260:      if: ctx.event?.action?.contains('move from shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:268:      if: ctx.event?.action?.contains('delete shared sites')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:275:      if: ctx.event?.action?.contains('limit shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:281:      if: ctx.event?.action?.contains('removed from shared folder')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:290:      if: ctx.event?.action?.contains('employee invited') || ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('employee account deleted')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:301:      if: "!(ctx.event?.action?.contains('employee invited') || ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('employee account deleted'))"
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:40:      if: ctx.event?.action?.contains('login verification email sent') || ctx.event?.action?.contains('log in') || ctx.event?.action?.contains('login to admin console') || ctx.event?.action?.contains('saml login') || ctx.event?.action?.contains('multifactor enabled') || ctx.event?.action?.contains('failed login attempt')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:44:      if: ctx.event?.action?.contains('add policy') || ctx.event?.action?.contains('delete policy') || ctx.event?.action?.contains('enterprise api secret regenerated')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:48:      if: ctx.event?.action?.contains('make admin') || ctx.event?.action?.contains('master password changed') || ctx.event?.action?.contains('master password reset by super admin') || ctx.event?.action?.contains('require password change') || ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('created lastpass account') || ctx.event?.action?.contains('employee account deleted') || ctx.event?.action?.contains('remove admin') || ctx.event?.action?.contains('create group') || ctx.event?.action?.contains('adding user to group')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:52:      if: ctx.event?.action?.contains('log in') || ctx.event?.action?.contains('login to admin console') || ctx.event?.action?.contains('saml login') || ctx.event?.action?.contains('open secure note') || ctx.event?.action?.contains('failed login attempt')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:56:      if: ctx.event?.action?.contains('make admin')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:60:      if: ctx.event?.action?.contains('enterprise api secret regenerated') || ctx.event?.action?.contains('update folder permissions') || ctx.event?.action?.contains('master password changed') || ctx.event?.action?.contains('master password reset by super admin') || ctx.event?.action?.contains('edit secure note') || ctx.event?.action?.contains('renamed shared folder') || ctx.event?.action?.contains('move to shared folder') || ctx.event?.action?.contains('move from shared folder') || ctx.event?.action?.contains('limit shared folder') || ctx.event?.action?.contains('update folder permissions')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:64:      if: ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('created lastpass account') || ctx.event?.action?.contains('created shared folder') || ctx.event?.action?.contains('add secure note') || ctx.event?.action?.contains('site added') || ctx.event?.action?.contains('add to shared folder') || ctx.event?.action?.contains('add policy')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:68:      if: ctx.event?.action?.contains('deleted sites') || ctx.event?.action?.contains('delete policy') || ctx.event?.action?.contains('deleted shared folder') || ctx.event?.action?.contains('employee account deleted') || ctx.event?.action?.contains('remove admin') || ctx.event?.action?.contains('removed from shared folder') || ctx.event?.action?.contains('delete shared sites') || ctx.event?.action?.contains('deleted sites')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:72:      if: ctx.event?.action?.contains('create group') || ctx.event?.action?.contains('adding user to group')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:76:      if: ctx.event?.action?.contains('login verification email sent') || ctx.event?.action?.contains('get shared folder data') || ctx.event?.action?.contains('get user data') || ctx.event?.action?.contains('employee invited') || ctx.event?.action?.contains('reporting') || ctx.event?.action?.contains('require password change') || ctx.event?.action?.contains('multifactor enabled')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:80:      if: ctx.event?.action?.contains('login verification email sent') || ctx.event?.action?.contains('log in') || ctx.event?.action?.contains('login to admin console') || ctx.event?.action?.contains('saml login') || ctx.event?.action?.contains('open secure note') || ctx.event?.action?.contains('make admin') || ctx.event?.action?.contains('enterprise api secret regenerated') || ctx.event?.action?.contains('update folder permissions') || ctx.event?.action?.contains('master password changed') || ctx.event?.action?.contains('master password reset by super admin') || ctx.event?.action?.contains('employee account created') || ctx.event?.action?.contains('created lastpass account') || ctx.event?.action?.contains('created shared folder') || ctx.event?.action?.contains('add secure note') || ctx.event?.action?.contains('site added') || ctx.event?.action?.contains('add to shared folder') || ctx.event?.action?.contains('add policy') || ctx.event?.action?.contains('deleted sites') || ctx.event?.action?.contains('delete policy') || ctx.event?.action?.contains('deleted shared folder') || ctx.event?.action?.contains('employee account deleted') || ctx.event?.action?.contains('remove admin') || ctx.event?.action?.contains('create group') || ctx.event?.action?.contains('adding user to group') || ctx.event?.action?.contains('get shared folder data') || ctx.event?.action?.contains('get user data') || ctx.event?.action?.contains('employee invited') || ctx.event?.action?.contains('edit secure note') || ctx.event?.action?.contains('renamed shared folder') || ctx.event?.action?.contains('move to shared folder') || ctx.event?.action?.contains('move from shared folder') || ctx.event?.action?.contains('limit shared folder') || ctx.event?.action?.contains('removed from shared folder') || ctx.event?.action?.contains('update folder permissions') || ctx.event?.action?.contains('delete shared sites') || ctx.event?.action?.contains('multifactor enabled') || ctx.event?.action?.contains('deleted sites')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:84:      if: ctx.event?.action?.contains('failed login attempt')
packages/lastpass/data_stream/event_report/elasticsearch/ingest_pipeline/default.yml:88:      if: ctx.event?.action?.contains('require password change') || ctx.event?.action?.contains('reporting')
packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:323:      if: "ctx.event?.category.contains('iam')"
packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml:173:      if: (ctx.json?.description).length() < 1020
packages/mimecast/data_stream/archive_search_logs/elasticsearch/ingest_pipeline/default.yml:82:      if: 'ctx.user?.parts?.length > 1'
packages/mimecast/data_stream/archive_search_logs/elasticsearch/ingest_pipeline/default.yml:86:      if: 'ctx.user?.parts?.length > 1'
packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml:262:    if: ctx?.json?.current_state?.contains("0")
packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml:268:    if: ctx?.json?.current_state?.contains("1")
packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml:274:    if: ctx?.json?.current_state?.contains("2")
packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml:280:    if: ctx?.json?.current_state?.contains("3")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:242:    if: ctx?.json?.current_state?.contains("0")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:248:    if: ctx?.json?.current_state?.contains("1")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:254:    if: ctx?.json?.current_state?.contains("2")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:260:    if: ctx?.json?.current_state?.contains("3")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:398:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_users")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:404:    if: ctx?.nagios_xi?.service?.containsKey("current_users")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:415:    if: ctx?.nagios_xi?.service?.containsKey("current_users")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:423:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_load")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:429:    if: ctx?.nagios_xi?.service?.containsKey("current_load")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:450:    if: ctx?.nagios_xi?.service?.containsKey("current_load")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:458:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_ssh") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_ssh")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:464:    if: ctx?.nagios_xi?.service?.containsKey("ssh")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:475:    if: ctx?.nagios_xi?.service?.containsKey("ssh")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:483:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_ping") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_ping")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:489:    if: ctx?.nagios_xi?.service?.containsKey("ping")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:505:    if: ctx?.nagios_xi?.service?.containsKey("ping")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:513:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_swap")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:519:    if: ctx?.nagios_xi?.service?.containsKey("swap_usage")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:532:        if(ctx?.nagios_xi?.service?.containsKey("swap_usage")) {
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:541:    if: ctx?.nagios_xi?.service?.containsKey("swap_usage")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:549:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_procs")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:555:    if: ctx?.nagios_xi?.service?.containsKey("process")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:566:    if: ctx?.nagios_xi?.service?.containsKey("process")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:574:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_http") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_http")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:580:    if: ctx?.nagios_xi?.service?.containsKey("http")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:596:    if: ctx?.nagios_xi?.service?.containsKey("http")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:604:    if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_disk")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:610:    if: ctx?.nagios_xi?.service?.containsKey("root_partition")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:623:        if(ctx?.nagios_xi?.service?.containsKey("root_partition")) {
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:632:    if: ctx?.nagios_xi?.service?.containsKey("root_partition")
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:639:    if: '!(ctx?.nagios_xi?.service?.containsKey("current_users") || ctx?.nagios_xi?.service?.containsKey("current_load") || ctx?.nagios_xi?.service?.containsKey("ssh") || ctx?.nagios_xi?.service?.containsKey("ping") || ctx?.nagios_xi?.service?.containsKey("swap_usage") || ctx?.nagios_xi?.service?.containsKey("process") || ctx?.nagios_xi?.service?.containsKey("http") || ctx?.nagios_xi?.service?.containsKey("root_partition"))'
packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml:646:    if: ctx?.event?.dataset?.contains("nagios_xi.custom")
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:204:          if (!ctx.threat?.technique?.id.contains(x)) {
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:207:          if (!ctx.threat?.technique?.name.contains(y)) {
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:211:        for (mitre_technique in ctx.panw_cortex?.xdr?.mitre_technique_id_and_name) {
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:232:          if (!ctx.threat?.tactic?.id.contains(x)) {
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:235:          if (!ctx.threat?.tactic?.name.contains(y)) {
packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:239:        for (mitre_tactic in ctx.panw_cortex?.xdr?.mitre_tactic_id_and_name) {
packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml:126:        for (mitre_technique in ctx.panw_cortex?.xdr?.mitre_techniques_ids_and_names) {
packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml:154:        for (mitre_tactic in ctx.panw_cortex?.xdr?.mitre_tactics_ids_and_names) {
packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml:21:      if: 'ctx._tmp?.action.toLowerCase().contains("success")'
packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/php-fpm.yml:25:      if: 'ctx._tmp?.action.toLowerCase().contains("authentication error")'
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:24:      if: ctx.json?.action?.type?.toLowerCase().contains('created') || ctx.json.action.type.toLowerCase().contains('deleted') || ctx.json.action.type.toLowerCase().contains('updated') || ctx.json.action.type.toLowerCase().contains('access_allowed')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:28:      if: ctx.json?.action?.type?.toLowerCase().contains('created')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:32:      if: ctx.json?.action?.type?.toLowerCase().contains('deleted')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:36:      if: ctx.json?.action?.type?.toLowerCase().contains('updated')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:40:      if: ctx.json?.action?.type?.toLowerCase().contains('user')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:44:      if: ctx.json?.action?.type?.toLowerCase().contains('group')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:48:      if: ctx.json?.action?.type?.toLowerCase().contains('allowed')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:52:      if: ctx.json?.action?.type?.toLowerCase().contains('denied')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:56:      if: ctx.json?.action?.type?.toLowerCase().contains('started')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:60:      if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:64:      if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded')
packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml:68:      if: ctx.json?.action?.type?.toLowerCase().contains('email')
packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml:237:            for (artifact in ctx.json?.threatsInfoMap) {
packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml:237:            for (artifact in ctx.json?.threatsInfoMap) {
packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml:233:            for (artifact in ctx.json?.threatsInfoMap) {
packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml:233:            for (artifact in ctx.json?.threatsInfoMap) {
packages/salesforce/data_stream/login_stream/elasticsearch/ingest_pipeline/default.yml:218:    if: '!ctx.source?.geo?.location?.containsKey("lat") && !ctx.source?.geo?.location?.containsKey("lon")'
packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/dns-answer-v2.yml:16:        for (def answer : ctx?.dns?.answers) {
packages/tenable_sc/data_stream/asset/elasticsearch/ingest_pipeline/default.yml:190:        if (nameArray?.length > 0) {
packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml:462:        if (nameArray?.length > 0) {
packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml:72:      if: "['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype) && !ctx.cif3?.tags.contains('ja3')"
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:40:      if: "ctx.trendmicro?.event?.signature_id >= 6000000 && ctx.trendmicro?.event?.signature_id <= 6999999"
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:52:      if: "ctx.trendmicro?.event?.signature_id >= 4000000 && ctx.trendmicro?.event?.signature_id <= 4999999"
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:55:      if: "ctx.trendmicro?.event?.signature_id >= 100 && ctx.trendmicro?.event?.signature_id <= 7499"
packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml:61:      if: "ctx.trendmicro?.event?.signature_id >= 5000000 && ctx.trendmicro?.event?.signature_id <= 5999999"
packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml:107:      if: ctx.vectra_detect?.log?.account?.uid.contains('@')
packages/zeek/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml:185:      if: ctx.zeek?.kerberos?.client.contains('/')
packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml:46:      if: ctx.host?.ip.contains('.')
packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml:50:      if: ctx.host?.ip.contains(':')
packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml:46:      if: ctx.host?.ip.contains('.')
packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml:50:      if: ctx.host?.ip.contains(':')
packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml:45:      if: ctx.host?.ip.contains('.')
packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml:49:      if: ctx.host?.ip.contains(':')
packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml:95:      if: ctx.source?.ip.contains('.')
packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml:99:      if: ctx.source?.ip.contains(':')
packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml:83:      if: ctx.source?.ip.contains('.')
packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml:87:      if: ctx.source?.ip.contains(':')
packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml:50:      if: ctx.host?.ip.contains('.')
packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml:54:      if: ctx.host?.ip.contains(':')
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:100:      if: "ctx?.event?.action.startsWith('account')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:103:      if: "ctx?.event?.action.startsWith('chat_message')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:106:      if: "ctx?.event?.action.startsWith('chat_channel')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:109:      if: "ctx?.event?.action.startsWith('phone')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:112:      if: "ctx?.event?.action.startsWith('recording')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:115:      if: "ctx?.event?.action.startsWith('user')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:118:      if: "ctx?.event?.action.startsWith('webinar')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:121:      if: "ctx?.event?.action.startsWith('zoomroom')"
packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml:97:      if: "ctx?.event?.action.startsWith('meeting')"
```
</details>

### Variations of the problem

In these identified cases there were a number of different types of `null` handling errors:
* `null` as the result of an `if` condition: `if (ctx?.risky?.value)`
* `null` an an operand of a boolean operator: `if: ctx.event?.action?.contains('substring') || ...`
* `null` as an operand of a comparison operator `if (nameArray?.length > 0)`
* `null` in the iteration statement of a `for` loop: `for (item in ctx.risky?.items)`
* Unsafe invocation of the `equals()` method: `if (ctx.event?.action.equals("some action"))`
* Incomplete use of the null safe operator: `if (ctx?.safe.notSafe.moreNotSafe(arg))`
* Inconsistent use of the null safe operator:  
  `if: '[...].contains(ctx.risk.unprotected) && ![...].contains(ctx?.risk?.protected)'`

<details>
<summary>Constructed examples</summary>

```
POST _scripts/painless/_execute
{
  "script": {
    "params": {
      "weather": {
        "temperature": null
      },
      "plans": {
        "beAlone": null,
        "swim": null,
        "sit": true
      },
      "books": {
        "finished": null
      }
    },
    "source": """
      def beachBag = [];

      if (params.plans?.beAlone) {                    // if condition
        beachBag.add("thoughts");
      } else {
        beachBag.add("a friend");
      }

      if (params.plans?.swim || params.plans?.sit) {  // operand of boolean operator
        beachBag.add("a towel");
      }

      if (params.weather?.temperature <= 20) {        // operand of comparison operator
        beachBag.add("a coat");
      } else {
        beachBag.add("a hat");
      }

      def books = ["The Little Prince"];
      beachBag.addAll(books);
      for (finishedBook in params.books?.finished) {  // iteration statement of for loop
        beachBag.removeIf(b -> b == finishedBook);
      }
      
      if (params.weather?.sun.bright == true) {       // incomplete null safe
        beachBag.add("sunglasses");
      }
      
      if (params.plans?.swim.equals(true)) {          // equals()
        beachBag.add("a swimsuit");
      }
      
      return "I'm going to the beach and I'm bringing " + beachBag;
    """
  }
}
```
</details>

### Checklist of fixes

It's probably best to fix these with a separate pull request for each integration.

#### sec-deployment-and-devices

- [x] cisco_asa (offending code removed)
- [x] cisco_ftd #9141
- [x] cisco_ise #9004
- [ ] cisco_nexus
- [ ] fortinet_fortigate
- [ ] juniper_srx
- [ ] pfsense
- [ ] suricata
- [x] zeek #9005

#### sec-windows-platform

- [ ] hid_bravura_monitor

#### security-service-integrations

- [ ] atlassian_bitbucket
- [ ] atlassian_confluence
- [ ] atlassian_jira
- [ ] box_events
- [ ] cisco_meraki
- [x] cisco_secure_endpoint #9006
- [ ] cloudflare
- [ ] cloudflare_logpush
- [x] cyberarkpas #9182
- [x] github #9181
- [x] infoblox_nios #9180
- [x] jamf_compliance_reporter #9179
- [x] lastpass #9002
- [x] mattermost #9177
- [x] microsoft_defender_endpoint #9176
- [ ] mimecast
- [x] panw_cortex_xdr #9175
- [x] ping_one #9076
- [x] proofpoint_tap #9153
- [x] tenable_sc #9152
- [ ] trendmicro
- [x] ti_cif3 #9148
- [x] vectra_detect #9151
- [x] zoom #9077

#### stack-monitoring

- [ ] elasticsearch

#### obs-infraobs-intergrations

- [x] nagios_xi #9003
- [ ] salesforce

#### obs-ds-hosted-services

- [ ] aws

#### ecosystem

- [ ] elastic_package_registry


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Incorrect `null` handling in `if` conditions and elsewhere #8646

The problem

Identified cases

Variations of the problem

Checklist of fixes

sec-deployment-and-devices

sec-windows-platform

security-service-integrations

stack-monitoring

obs-infraobs-intergrations

obs-ds-hosted-services

ecosystem

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Incorrect null handling in if conditions and elsewhere #8646

Description

The problem

Identified cases

Variations of the problem

Checklist of fixes

sec-deployment-and-devices

sec-windows-platform

security-service-integrations

stack-monitoring

obs-infraobs-intergrations

obs-ds-hosted-services

ecosystem

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Incorrect `null` handling in `if` conditions and elsewhere #8646