Fortify findings in CesiumJS

We are creating a ReactJS-based application and are using CesiumJS for 3D visualization. We ran a required Fortify scan against our codebase and the majority of our Critical and High findings came from CesiumJS. These may, or may not, be false findings.

Have you, or do you plan to, addressed Fortify findings?

This was against version 1.52

I’m not familiar with Fortify’s analysis. Can you post a few of its results here?

Fortify generates nothing but false positives for Cesium and can be safely ignored. If you feel that one of the warnings is legitimate, please provide details and we can address it (or explain why it is a false positive).

I am, sadly, far too familiar with both Fortify and Cesium.

My first observation is that unless you have a specific requirement to do so, you shouldn’t be scanning Cesium itself, as it’s a third-party library and not directly part of your application*.*

Second, my memory of the kinds of findings Fortify shows for Cesium is that it’s things like “Math.random should not be used for cryptographic purposes”, and “these AJAX calls could lead to Bad Things ™ happening”. All of those findings can be safely suppressed. Cesium isn’t doing anything cryptographic, and AJAX calls are are both necessary for Cesium to work properly (fetching imagery and terrain tiles, etc) and a core part of how any modern web app works anyway.