smoyer64 commented on issue #13: Add OWASP suppression to ignore false positives URL: https://github.com/apache/directory-scimple/pull/13#issuecomment-408218391 Restfuse is no longer supported and I'll be moving compliance tests to a different framework at some point. In any case, restfuse should have been test scoped in the parent POM which would have resulted in OWASP ignoring it (since it's not a run-time dependency). I'll test that this works tomorrow morning and push an alternate change. In general I'm not a fan of using the suppression files except for dependencies that are truely false positives. In theory, these should be submitted to the OWASP maintainers so that it's included in their global suppression file. E.g - The OAuth2 library we use also supports OpenId Connect. One of the OWASP rules marks anything with the word openid in it as vulnerable to the unrepairable OpenId problem. But OpenId Connect is flagged even though it's completely different.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
