CompTIA Security+ (SY0-601) — Question 226

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings?

Answer options

• A. The vulnerability scanner was not properly configured and generated a high number of false positives.
• B. Third-party libraries have been loaded into the repository and should be removed from the codebase.
• C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue.
• D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Correct answer: A

Explanation

The correct answer is A because if the vulnerability scanner is not configured properly, it can result in a significant number of false positives, which would inflate the findings count. Options B and C do not explain the excessive findings as they pertain to specific code issues rather than scanner misconfiguration. Option D suggests an outdated scanner, but it does not directly relate to the generation of false positives.