Is Joda DateTime Vulnerable?
Our Fortify scan (SCS - 220.127.116.1109) produces hundreds of Critical issues against our Java/Wicket project. A significant number of these are false positives. I know we can annotate or audit these away but some, at least, I think shouldn’t really be reported in the first place.
One example is with a method returning a Joda DateTime object. This has come from the database and is basically a timestamp of when the user performed an action. I don’t really expect Fortify to appreciate that, it’s more the fact that it’s a DateTime object that can’t contain anything but a valid date & time. Why does Fortify flag that?
Annotating that one getter removes 58 of our issues but we’re reluctant to use annotations as it could introduce some bad practice and the need for another monitoring process.
Is there something that can be done about this or do we just have to deal with at our end?
Re: Is Joda DateTime Vulnerable?
In order to provide a definitive answer, we would need to see the code and the analysis trace evidence.
But here are some things to consider.
- Check and see if Joda is a supported library/framework by Fortify SCA. If Fortify SCA does not support it, then more than likely there are no rules for Fortify to know what is going on with Joda.
- Consider writing a Cleanse Rule for data returned by one of the Joda functions that you use.
- Fortify SCA takes the stance that, by default, data that comes from external resources, like a database, is not trusted.