Solved: Re: Security scanner false positive 10975 and 8788

dna_tech · ‎04-07-2019

Hi all,

I'm getting false positives for both SUPEE-10975 and SUPEE-8788. Both seem to rely on detecting a "proxy signs" of not having these patches installed.

First one states "missing jQuery". I don't think missing jQuery is a bad thing But once you start optimizing, you might not serve "vanilla" routes to your resources. If this is the only "proxy" to verify a patch, please mark as "undetectable".

Same goes for 8788: it tries to rely on some css snippet.

The patches have been applied, store is running latest version available at the moment (at time of writing 1.9.4.1).

Why is this a bad thing?

Reporting false positives (without the possibility to mute a specific check) defeats the whole purpose of having security scans/alerts: they get ignored.

Is there anything I can do to improve, get in touch with the team, create a PR?

Kind regards!

msavich · ‎04-30-2019

@dna_techwhat is the store URL you experiencing the problem with?

View solution in original post

Tarandeep Singh · ‎04-07-2019

@dna_tech

You can contact security@magento.com and provide the details. They will possibly look into it and get back to you in case a false positive or if there is something else.

Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.

- Tarandeep
Problem solved?Please give 'Kudos' and accept 'Answer as Solution'.

dna_tech · ‎04-15-2019

Thank you for the suggestion. Even though last time I sent an email to that address I got no reply, I tried again. Until today I did not even get a confirmation of the email (it did not bounce - yet).

I'll give a couple of more days, but as you might imagine it did not solve my issue.

Thanks anyway!

dna_tech · ‎04-30-2019

Unfortunately nobody responded. Does anyone know hoe to get in touch with the team (other than email)?

Mukesh Tiwari · ‎04-30-2019

Hi @dna_tech

I think @msavich may help you.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

msavich · ‎04-30-2019

@dna_techwhat is the store URL you experiencing the problem with?

dna_tech · ‎05-08-2019

Since the answer has been answered in a private conversation, I'm accepting what lead to the fix. The issue was two-fold: the first was indeed a false positive when using mod_pagespeed (has been fixed and confirmed), the latter was no false positive, but an error on my end. We removed the obsolete file and got rid of the alert.

Many thanks to @msavich for a swift response!

ciara · ‎07-16-2019

@msavich @dna_tech Just wondering what this file might have been. I am experiencing a false positive for my site also. For SUPEE-8788, but I am running 1.9.3. Your help is greatly appreciated! Thank you.

cloud magento_sectool · ‎07-16-2019

Replied from the wrong account, removed....

Please reply to @msavich directly

msavich · ‎07-16-2019

Hello,

What is the store URL you have the problem with?