Is there a way to correct bogus code paths generated by Fortify SCA?
Scanning our product with Fortify 17.10, we are seeing numerous bogus findings based upon completely invalid code paths. The worst example comes from having base64 conversion classes in a utility jar, e.g. Base64InputStream.java. This class is being misinterpreted as applying to code using InputStream. The same exists with OutputStream, e.g. Base64OutputStream is being seen used in place of java.io.OutputStream in terms of the code paths. Another case is hasNext().
This is extremely problematic given the number of issues being reported. It would be insane to need to rename all classes to something else to resolve this. I could understand a class named OutputStream confusing Fortify SCA as compared to java.io.OutputStream, but I cannot see how Base64OutputStream is being assumed to be OutputStream.