Audit finding C2 — theoretical, LOW-MEDIUM.
Session uses raw epoch millis for seq and Math.abs for duration (sentry/src/main/java/io/sentry/Session.java):
seq is set from getSequenceTimestamp(), which returns timestamp.getTime() (raw epoch millis) — Session.java:309, invoked from the session-update path at :227. A backward clock step between updates → the newer update has a smaller seq → the server can discard the latest session state (lost end/error counts).calculateDurationTime uses Math.abs``(timestamp.getTime() - started.getTime()) (Session.java:240), which masks negative durations rather than surfacing them.
Source: JAVA-557 §C2.
Audit finding C2 — theoretical, LOW-MEDIUM.
Sessionuses raw epoch millis forseqandMath.absfor duration (sentry/src/main/java/io/sentry/Session.java):seqis set fromgetSequenceTimestamp(), which returnstimestamp.getTime()(raw epoch millis) —Session.java:309, invoked from the session-update path at:227. A backward clock step between updates → the newer update has a smallerseq→ the server can discard the latest session state (lost end/error counts).calculateDurationTimeusesMath.abs``(timestamp.getTime() - started.getTime())(Session.java:240), which masks negative durations rather than surfacing them.Source: JAVA-557 §C2.