You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by GitBox <gi...@apache.org> on 2018/07/26 20:03:23 UTC
[GitHub] smoyer64 commented on issue #13: Add OWASP suppression to ignore
false positives
smoyer64 commented on issue #13: Add OWASP suppression to ignore false positives
URL: https://github.com/apache/directory-scimple/pull/13#issuecomment-408218391
Restfuse is no longer supported and I'll be moving compliance tests to a different framework at some point. In any case, restfuse should have been test scoped in the parent POM which would have resulted in OWASP ignoring it (since it's not a run-time dependency). I'll test that this works tomorrow morning and push an alternate change.
In general I'm not a fan of using the suppression files except for dependencies that are truely false positives. In theory, these should be submitted to the OWASP maintainers so that it's included in their global suppression file. E.g - The OAuth2 library we use also supports OpenId Connect. One of the OWASP rules marks anything with the word openid in it as vulnerable to the unrepairable OpenId problem. But OpenId Connect is flagged even though it's completely different.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services