A Security Control has been defined, however it doesn't appear to be taking effect and vulnerabilities using the control are still being reported.
The most common cause of an ineffective Security Control is a misconfigured Security Control. The following are real world examples of incorrectly specified method signatures:
Example-1: An object is used
The parameter being validated/sanitized must be a String. In this case the user had instead specified an object.
Valid types are
Example-2: Generics and shorthand are used in the signature
com.acme.controller.CheckSSNServlet.validateUpdateRecords(HttpServletRequest, List<String>, java.lang.String*)
There's a couple of issues with this case. Generics were used in the signature,
List<string>, which shouldn't be included as they're a compiler construct and not related to runtime.
Classes and packages need to be fully written out, shorthand can't be used.
List<String> should be
HttpServletRequest should be
Example-3: Not adhering to the correct case
The method signature is case sensitive, however the following cites
Java.lang.string instead of the correct