Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Fortify high: Access specifier manipulation on reflection that is used to invoke a private constructor

I used reflection to invoke a private constructor of a class in order to solve insufficient branch coverage issue shown by sonar scan report. This is the snippet of my code I was working:

// reflection to access a private constructor of a class
        Constructor<CMISBridgeMaps> c = CMISBridgeMaps.class.getDeclaredConstructor(new Class[0]);
        c.setAccessible(true);
        cmisBridgeMaps = c.newInstance(new Object[0]);

The above code solved my sonar scan critical issue. But unfortunately fortify is now showing the Access specifier manipulation issue on the following line:

c.setAccessible(true);

How can I solve both fortify and sonarcube issues? Any help would be greatly appreciated.

like image 915
Vijaya Pandey Avatar asked Jan 26 '17 17:01

Vijaya Pandey


2 Answers

If you use Spring, you can use ReflectionUtils.makeAccessible(field) to make that field accessible. Fortify does not complain about this tweak.

You can read more about this in this article.

like image 168
Vidyasagar Gayakwad Avatar answered Sep 17 '22 10:09

Vidyasagar Gayakwad


I believe you do not need to run fortify scan on your UNIT TCs. As they are written to verify your code and they do not run into your production/actual environment.

like image 24
Ankit Katiyar Avatar answered Sep 20 '22 10:09

Ankit Katiyar