I could answer this better if you'll specify exactly what you mean in Checkmarx Violation. But I can say one thing: exposing model structure may be something that some developers are reluctant to do.. but on the other hand, no one can have an idea whether the received representation is the back-end model instance, or DTO instance.. so, I would assume, there is no any data-protection / safety violation in the case of returning the instance of Entity.