Is Joda DateTime Vulnerable?
Our Fortify scan (SCS - 220.127.116.1109) produces hundreds of Critical issues against our Java/Wicket project. A significant number of these are false positives. I know we can annotate or audit these away but some, at least, I think shouldn’t really be reported in the first place.
One example is with a method returning a Joda DateTime object. This has come from the database and is basically a timestamp of when the user performed an action. I don’t really expect Fortify to appreciate that, it’s more the fact that it’s a DateTime object that can’t contain anything but a valid date & time. Why does Fortify flag that?
Annotating that one getter removes 58 of our issues but we’re reluctant to use annotations as it could introduce some bad practice and the need for another monitoring process.
Is there something that can be done about this or do we just have to deal with at our end?