Per the recommendation in the finding: "Another approach to protecting against mass assignment vulnerabilities is to use a layered architecture where the HTTP request parameters are bound to DTO objects. The DTO objects are only used for that purpose, exposing only the attributes defined in the web forms or API contracts, and then mapping these DTO objects to Domain objects where the rest of the private attributes can be defined."
I have scenarios where I have FromBody, ApiAttribute on the controller, and a DTO with three public required fields. Fortify still flags this with Mass Assignment. Shouldn't this be ignored?