We’re seeing Fortify 4.1 (Linux, 2014.1.0.0010) misidentify a lot of findings as singletons. Anyone have this issue or know a way to get SCA to stop doing this?
Hi Stephen, I believe this is something our research team is aware of. We have a bugfix request open which, if all goes to plan, should be included in our next rulepack release. Apologies for the inconvenience in the meantime.
Hi Stephen, what do you mean "findings as singletons"?
Does it see Singleton classes while they are not actually Singletons?
Does it report the same issue multiple times?
Hi Geert, in the bug I was referring to, in certain situations SCA will define a nested bean as a singleton even though it may not be. This has led to a number of false positive "Race Condition: Singleton Member field" issues being reported. So you shouldn't see the same issue multiple times, but you may have single issues reported which are false positives. As I say, our research group are currently working on a fix for this which is due to be included in the next rulepack release.
If you're seeing different behaviour to this please drop an email to firstname.lastname@example.org and the team will take a closer look.