Java's ProcessBuilder getting flagged for command injection even with a data cleanse rule

Hello folks - I have a situation where we have a code that does something like this:

Class OurProcess {

       List<String> cleansedCommand;

       public OurProcess(List<String> command) {

              cleansedCommand = Validator.cleanseCommand(command);

       }

      public void executeCmd() {

           ProcessBuilder pb = new ProcessBuilder(cleansedCommand);

           pb.start();

          .......

          .......

    }

}

I had spent quite sometime in reading the docs wrt to data flow cleanse rules but I was not able to get a clean report wrt CommandInjection vuln being reported for the above (renamed the class file):

"The method start() in OurProcess.java calls ProcessBuilder() to execute a command. This call might allow an attacker to inject malicious commands."

I have a custom rule for which am not seeing any result from the above snippet:

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
    <RulePackID>.....</RulePackID>
    <SKU>.....</SKU>
    <Name><![CDATA[...l]]></Name>
    <Version>1.0</Version>
    <Description><![CDATA[]]></Description>
    <Rules version="22.2.1">

            <DataflowCleanseRule formatVersion="22.2.1" language="java">
                <RuleID>....</RuleID>
                <TaintFlags>+VALIDATED_COMMAND_INJECTION</TaintFlags>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Pattern>....Some valid package for Validator......</Pattern>
                    </NamespaceName>
                    <ClassName>
                        <Pattern>Validator</Pattern>
                    </ClassName>
                    <FunctionName>
                        <Pattern>cleanseCommand</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
                <OutArguments>return</OutArguments>
            </DataflowCleanseRule>

    </RuleDefinitions>
    </Rules>
</RulePack>

Anyone can point out what am I doing wrong? Really appreciate any help or hint. I use audit workbench after sourceanalyzer -scan to verify the whole thing.