Never use the clone method for defensive copying of untrusted method parameters. Making defensive copies of mutable parameters mitigates against a variety of security vulnerabilities; see FIO00-J. Defensively copy mutable inputs and mutable internal components for additional information. However, inappropriate use of the clone method can allow an attacker to exploit vulnerabilities by providing arguments that pass initial validation but subsequently return unexpected values. Such objects may consequently bypass validation and security checks. Never use the clone method to make defensive copies of objects that are instances of classes that both are non-final nonfinal and also provide a clone() method.
Noncompliant Code Example
...
The storeDateinDB() method accepts an untrusted date argument and attempts to make a defensive copy using the clone() method. The attacker can override the getTime() method so that it passes validation when called for the first time , but provides an unexpected value when it is used a second time.
...
Using the clone() method to copy untrusted arguments affords to attackers the opportunity to bypass validation and security checks.
...