New Member.

Is Joda DateTime Vulnerable?


Our Fortify scan (SCS - produces hundreds of Critical issues against our Java/Wicket project. A significant number of these are false positives. I know we can annotate or audit these away but some, at least, I think shouldn’t really be  reported in the first place.


One example is with a method returning a Joda DateTime object. This has come from the database and is basically a timestamp of when the user performed an action. I don’t really expect Fortify to appreciate that, it’s more the fact that it’s a DateTime object that can’t contain anything but a valid date & time. Why does Fortify flag that?


Annotating that one getter removes 58 of our issues but we’re reluctant to use annotations as it could introduce some bad practice and the need for another monitoring process.


Is there something that can be done about this or do we just have to deal with at our end?



Tags (2)
1 Reply
Micro Focus Contributor
Micro Focus Contributor

Re: Is Joda DateTime Vulnerable?

@chipsNcider ,


In order to provide a definitive answer, we would need to see the code and the analysis trace evidence.


But here are some things to consider.

  • Check and see if Joda is a supported library/framework by Fortify SCA. If Fortify SCA does not support it, then more than likely there are no rules for Fortify to know what is going on with Joda.
  • Consider writing a Cleanse Rule for data returned by one of the Joda functions that you use.
  • Fortify SCA takes the stance that, by default, data that comes from external resources, like a database, is not trusted.



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.