I won't merge this due to the false positives. It reports a "critical" XXE vulnerability which does not exist because a safe resolver is being used, and labels 29 assignments as "high-severity Implicit narrowing conversion in compound assignment" when I do not think that they have any security implication.
Floating point overflows aren't a problem, and integer overflows aren't an issue in Java as they are in C/C++. There is no pointer arithmetic and array indexes are guaranteed to be safe. So integer overflows cannot be exploited in the same way that they are in C/C++. Those have the potential of being a normal bug (very rarely a security bug) but certainly not a "high severity vulnerability".
I won't merge this due to the false positives. It reports a "critical" XXE vulnerability which does not exist because a safe resolver is being used, and labels 29 assignments as "high-severity Implicit narrowing conversion in compound assignment" when I do not think that they have any security implication.
Floating point overflows aren't a problem, and integer overflows aren't an issue in Java as they are in C/C++. There is no pointer arithmetic and array indexes are guaranteed to be safe. So integer overflows cannot be exploited in the same way that they are in C/C++. Those have the potential of being a normal bug (very rarely a security bug) but certainly not a "high severity vulnerability".