Highlighted
chipsNcider
New Member.
67 views

Is Joda DateTime Vulnerable?

Hi,

Our Fortify scan (SCS - 19.1.3.3009) produces hundreds of Critical issues against our Java/Wicket project. A significant number of these are false positives. I know we can annotate or audit these away but some, at least, I think shouldn’t really be  reported in the first place.

 

One example is with a method returning a Joda DateTime object. This has come from the database and is basically a timestamp of when the user performed an action. I don’t really expect Fortify to appreciate that, it’s more the fact that it’s a DateTime object that can’t contain anything but a valid date & time. Why does Fortify flag that?

 

Annotating that one getter removes 58 of our issues but we’re reluctant to use annotations as it could introduce some bad practice and the need for another monitoring process.

 

Is there something that can be done about this or do we just have to deal with at our end?

 

Cheers,

Tags (2)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.