Fortify high: Access specifier manipulation on reflection that is used to invoke a private constructor

Question

I used reflection to invoke a private constructor of a class in order to solve insufficient branch coverage issue shown by sonar scan report. This is the snippet of my code I was working:

// reflection to access a private constructor of a class
        Constructor<CMISBridgeMaps> c = CMISBridgeMaps.class.getDeclaredConstructor(new Class[0]);
        c.setAccessible(true);
        cmisBridgeMaps = c.newInstance(new Object[0]);

The above code solved my sonar scan critical issue. But unfortunately fortify is now showing the Access specifier manipulation issue on the following line:

c.setAccessible(true);

How can I solve both fortify and sonarcube issues? Any help would be greatly appreciated.

Answer 1

If you use Spring, you can use ReflectionUtils.makeAccessible(field) to make that field accessible. Fortify does not complain about this tweak.

You can read more about this in this article.

Answer 2

I believe you do not need to run fortify scan on your UNIT TCs. As they are written to verify your code and they do not run into your production/actual environment.