Issue/Question
Audit will check for both validation-x-42c-extensions-conflict
and v3-validation-x-42c-extensions-conflict
. If a conflict is found, audit will consider the API definition as not being a valid OpenAPI definition. In this case, the API would not get a audit score until the conflict has been resolved.
Solution/Answer
Users are not allowed to apply bothx-42c-accept-empty-security
andx-42c-no-authentication
to same API, either from audit rules or by defining them directly in the API definition. If both extensions get applied to a single API (regardless of the level where, it doesn’t matter if these are applied to operations or the whole API), then the issue(v3-)validation-x-42c-
is raised and API definition is flagged as structurally not valid. This is because you now have two directives giving Security Audit conflicting instructions how to handle authentication checks, meaning that the assessment won’t be reliable.
Comments
0 comments
Please sign in to leave a comment.