Fortify high: Access specifier manipulation on reflection that is used to invoke a private constructor

Question

I used reflection to invoke a private constructor of a class in order to solve insufficient branch coverage issue shown by sonar scan report. This is the snippet of my code I was working:

// reflection to access a private constructor of a class
        Constructor<CMISBridgeMaps> c = CMISBridgeMaps.class.getDeclaredConstructor(new Class[0]);
        c.setAccessible(true);
        cmisBridgeMaps = c.newInstance(new Object[0]);

The above code solved my sonar scan critical issue. But unfortunately fortify is now showing the Access specifier manipulation issue on the following line:

c.setAccessible(true);

How can I solve both fortify and sonarcube issues? Any help would be greatly appreciated.

Answer 1

If you use Spring, you can use ReflectionUtils.makeAccessible(field) to make that field accessible. Fortify does not complain about this tweak.

You can read more about this in this article.

Answer 2

You can use Java's reflection api to solve this. Below is the solution I used for the same issue.

Field field = objectToBeUpdated.getClass().getDeclaredField("paramName");
AccessibleObject.setAccessible(new AccessibleObject[] {field}, true);

Below are the imports for the classes used above.

import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;

Answer 3

I believe you do not need to run fortify scan on your UNIT TCs. As they are written to verify your code and they do not run into your production/actual environment.

Answer 4

If your application follow the below approach then you can mark this issue as False positive .

1. Application is using reflection mechanism to access the field values dynamically by reading the configurations defined in Database tables.
2. While accessing the objects, method or input field , application is using any filter.
3. Before execute the untrusted code.must apply the proper filtration process.