Issue/Question

Audit will check for both validation-x-42c-extensions-conflict and v3-validation-x-42c-extensions-conflict.  If a conflict is found, audit will consider the API definition as not being a valid OpenAPI definition. In this case, the API would not get a audit score until the conflict has been resolved.

Solution/Answer

Users are not allowed to apply bothx-42c-accept-empty-securityandx-42c-no-authenticationto same API, either from audit rules or by defining them directly in the API definition. If both extensions get applied to a single API (regardless of the level where, it doesn’t matter if these are applied to operations or the whole API), then the issue(v3-)validation-x-42c-extensionsis raised and API definition is flagged as structurally not valid. This is because you now have two directives giving Security Audit conflicting instructions how to handle authentication checks, meaning that the assessment won’t be reliable.