Exam SY0-601 topic 1 question 328 discussion

forgot to choose the answer lol. But for me it's A. Since it was just the first night of the vulnerability scan, definitely there would be a lot of false positives that the engineer who monitors this needs to address and modify so that the vulnerability scan can be more accurate.

False positives refer to instances where the vulnerability scanner incorrectly identifies a piece of code as vulnerable when it is not. They can occur due to various reasons, such as misconfiguration of the scanner, inadequate tuning of the scan rules, or limitations in the scanning tool's detection capabilities. In this scenario, if the vulnerability scanner was not properly configured, it might generate a significant number of false positives. False positives can lead to a large number of reported findings that may not actually represent legitimate security vulnerabilities.

The vulnerability scanner was not properly configured and generated a high number of false positives, the reason is that is asking for what is most likely and the most reasonable thing is that the vulnerability scanner is just missconfigured, in the exam usually there is a question the received all the points and a question that looks reasonable too so you get a few points, in this case D is the second answer

D is an more accurate answer than A

i take my exam today, 01/03/2024. if you are reading this i will post my success at the very first question to inform you all as to if this forum was helpful or not. my friend took the test a couple of weeks ago and passed. he swears by it.

A is much more likely than B for this one, just based on the sheer number of findings. Third-party libraries could result in a bunch, sure, but 2,000 would make me think something has been misconfigured.

I'm not sure exactly why B is not correct but I will say removing all 3rd party repositories seems a bit extreme. Even with a repository that has vulnerabilities, I would think that patching those vulnerabilities yourself would sometimes be the best thing to do rather than scrapping it entirely.

A. This is talking about static code analysis. Static code analysis is a type of automated software testing that analyzes source code without executing the software to identify potential issues, such as security vulnerabilities, coding errors, and other issues that could impact the software's functionality, reliability, or security. There are many static code analysis tools available, both open source and commercial, that can be used to analyze software code for potential vulnerabilities and other issues. Here are some of the most commonly used static code analysis tools: SonarQube Fortify Checkmarx Veracode ...etc

The alerts are coming after the first night of the scan, it is obviously not tuned correctly. Going with A on this one.

The most likely cause for the high number of findings is B. Third-party libraries have been loaded into the repository and should be removed from the codebase. If third-party libraries are loaded into the repository, the vulnerability scanner can easily identify them as potential vulnerabilities and alert the developers.

choosing A for this one. Since it was just the first night of the vulnerability scan, definitely there would be a lot of false positives that the engineer who monitors this needs to address and modify so that the vulnerability scan can be more accurate.

Clearly answer B

B. Third-party libraries have been loaded into the repository and should be removed from the codebase

I think here the correct one should be B.

also choosing A

B. Third-party libraries have been loaded into the repository and should be removed from the codebase