I'm getting false positives for both SUPEE-10975 and SUPEE-8788. Both seem to rely on detecting a "proxy signs" of not having these patches installed.
First one states "missing jQuery". I don't think missing jQuery is a bad thing But once you start optimizing, you might not serve "vanilla" routes to your resources. If this is the only "proxy" to verify a patch, please mark as "undetectable".
Same goes for 8788: it tries to rely on some css snippet.
The patches have been applied, store is running latest version available at the moment (at time of writing 18.104.22.168).
Why is this a bad thing?
Reporting false positives (without the possibility to mute a specific check) defeats the whole purpose of having security scans/alerts: they get ignored.
Is there anything I can do to improve, get in touch with the team, create a PR?
Solved! Go to Solution.
You can contact email@example.com and provide the details. They will possibly look into it and get back to you in case a false positive or if there is something else.
Problem solved? Please give 'Kudos' and accept 'Answer as Solution'.
Thank you for the suggestion. Even though last time I sent an email to that address I got no reply, I tried again. Until today I did not even get a confirmation of the email (it did not bounce - yet).
I'll give a couple of more days, but as you might imagine it did not solve my issue.
Unfortunately nobody responded. Does anyone know hoe to get in touch with the team (other than email)?
Since the answer has been answered in a private conversation, I'm accepting what lead to the fix. The issue was two-fold: the first was indeed a false positive when using mod_pagespeed (has been fixed and confirmed), the latter was no false positive, but an error on my end. We removed the obsolete file and got rid of the alert.
Many thanks to @msavich for a swift response!
Replied from the wrong account, removed....
Please reply to @msavich directly