HPE Fortify complains my application has a Struts 2 issue (11512), but I don't use Struts 2 at all.

As the subject, HPE Forify complains a phantom high issue regarding the Struts 2, but I don't use Struts 2 at all.   Is it a bug of Fortify?  How do I solve it (I am challenged by my customers badly)?

Here is the details from the report

OGNL Expression Injection: Dynamic Method Invocation ( 11512 )
CWE: 94,95
Upgrade to the latest Struts 2 version and disable the "Dynamic Method Invocation" feature in the Struts 2 configuration. In
order to disable this feature use the struts.enable.DynamicMethodInvocation property either as a Struts 2 property
<constant name="struts.enable.DynamicMethodInvocation" value="false" />
or in struts.properties:
struts.enable.DynamicMethodInvocation = false
or in web.xml include this init-param node in the Struts 2 filter:

  • Is it repeatable when you use "Review Vulnerability" and then "Retest"?  If so try using the option there to intercept the traffic using a proxy and you will see exactly what constitutes the finding.  If you're having difficulty interpreting what you see then I would suggest opening a support case.

  • As a quick refresher  --   You can open the Review Vulnerability tool by double-clicking on the Vulnerability as it is listed in the bottom Summary Information pane, or via a right-click menu found on the same listed item.  To hook this review tool through a proxy, such as the included Web Proxy, you must first edit the Current Scan settings to point to the proxy listener port that you will be running.  This is found under the Edit menu > Current Scan Settings > Proxy panel.