I am utilizing spotbugs to help review an oracle adf application for errors and vulnerabilities prior to deployment. Two of the malicious code vulnerabilities warnings spotbugs finds are:
- "classname may expose internal representation by returning fieldname"
- "classname may expose internal representation by storing an externally mutable object into fieldname".
I understand that a caller could alter the object undesirably in some way and that could be prevented by returning or setting a copy of the object. That situation and resolutions are explained in other questions like Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object
Are there other specific security risks of exposing internal representation that would need to be addressed if copying the object is undesirable?