Identify issues in Checkmarx security scan

I work for a pharmacy software company where we’re using CakePHP for our customer site. The site was run through Checkmarx and came up with 18 high severity issues in the core.

First, I haven’t reviewed the core code much and don’t believe that they are all legit issues. It’s likely that they are false positives, or at least some of them are.

Second, it’s a new site and we haven’t been able to launch yet, because our security department has a new policy that nothing new goes live that has high severity issues in it.

So, I have to prove they are false positives before we can launch this site, or that they are legit and submit a patch/report it, etc. Is there anyone that would be willing to help me out that is more familiar with the core code? I hate to send security issues that may very well be false positives, but do you recommend me doing that anyway? And on top of that I have to be able to offer some proof, I can’t just say “it’s not a problem”.

You can send a mail to security@cakephp.org with reported issues.

I can do that just to be sure. Is that recommended? Even if I believe it might be a false positive? And if do submit them, will I get response back providing some sort of explanation as to why it’s not an issue? I know the core developers aren’t required to do that, but I am required to that to my security department.

Thanks for the response.

No one’s gonna be offended even if every reported issue is a false positive Rest assured you will get a response.