For version 2.3.2 the Magento Security Scanner finds a number of presumed false positives.
(Because these patches are supposed to be included in Magento 2.3)
Where can I find the actual patches that are reported to be missing to compare them with the production code?
API ACL - Failed.
API ACL Patch not detected (APPSEC-1378) - from Magento 2.0.4
API ACL Patch not detected (APPSEC-1408) - from Magento 2.0.6
API ACL Patch not detected (APPSEC-1679) - from Magento 2.1.7
XS Vulnerability - Failed.
Section Loading sanitation not detected (APPSEC-1539) - from Magento 2.1.2
XSS Patch not detected (APPSEC-1716) - from Magento 2.1.14
As you can see, nobody answered.
I already searched and gave up finding a solution on my own before posting here.
The empty POST request to yourdomain/rest/V1/carts/mine/balance/apply is expected to return 401(Unauthorized) response code, the 500 (Internal server error) is returned instead.
If the server will respond with 400, 403, 404 or 503 response code - the scan will finish with 'Unknown' status.
Open this in browser yourdomain/rest/V1/carts/mine/balance/apply which certainly given the error.
I am facing the same issue and trying to find out the solution, from the above post if anyone manages to get that fixed prior than me please post it here.
Hit the Kudos if it seems helpful
Which one of the 5 patches are you refering to?
Where did you find this information?
Which one of the 5 patches are you refering to? Zuber - What does this mean? I didn't mention anything about the patch. Sorry, but it's a little bit precarious.
Where did you find this information? Zuber - I submitted the same error to the magento support and one of them developer sent this to me.
This is about 5 error messages for 5 "missing" patches.
Wich of them do you refer to?
The 5 scans did not seem to have returned with an "unknown" status but with a "failed" status.
(Sorry for the late answer. It seems this forum does not send me an email when a reply happens.)
We also have this issue on 2.3.2 but only with the first 3 patches flagging as failed.
Did you find a solution to this problem?
I'm just waiting for an answer here as there is nothing else I can do.
Forgive my ignorance if my answers aren't what you are looking for.
You asked "Where can I find the actual patches that are reported to be missing to compare them with the production code?"
The patches for different version of Magento can be found through this webpage: https://magento.com/security/patches
To find a specific patch such as for version 2.0.4 which you mentioned, type in the APPSEC-1378 "code" in your favorite search engine to get a direct url like this one: https://magento.com/security/patches/magento-2.0.4-security-update
then since you are using the Community Edition, scroll down to the Community Edition heading and proceed from there.
If I understood you correctly, this is what you are looking for.
One more thing before you proceed, I had a similar issue where the Magento Security Scanner showed that I was missing patches even though I also had version 2.3.2 installed. I turned out that my Web Application Firewall (WAF) was blocking the Magento Security Scan from checking my website/domain, and therefore I also had false positives. After I allowed the Security Scan IP addresses through my WAF, the patch failures went away.
I hope this helps, if not you then someone else.