I get a somewhat different explanation from Fortify, since this issue usually does not refer to write
, but to read
(deserialization). The background is that constructors are not invoked when deserializing data since the runtime takes care of inizalizing the members from the serialized data, so when you have a SecurityManager
in your constructor it is not considered when an instance is created by deserializing.
Anyway, to your question, if you have analyzed the issue and came to the conclusion that it is not an issue, you can mark it as such while auditing the issue. This is possible both in Fortify SSC (the central fortify server) and the Audit Workbench (AWB). In Fortify SSC, go to your issue list, select "View Details" on the particular issue, and in the lower left corner select "Analysis: Not an Issue". Similar options exist in AWB.
If you are doing subsequent scans and upload them to the server (or merge them using AWB), Fortify recognizes that this issue has been audited and marked as "not an issue" earlier and keeps the "not an issue" information.