New hotness: Unvalidated Assumptions

Vulnerability scanners, in the year 2025 - and the companies flogging them to unsuspecting customers victims - are defective by design. The latest trend in flooding the already substandard spewage with even more useless noise is to run CI-time checks against non-CI systems.

A "modern"[tm] scanner, upon finding a build manifest source code file with listed dependencies will happily claim that every listed package is installed on the system. It does not bother to verify its claim. That would be too much work.

That is just as accurate as if a police visiting a home sees a copy of Malleus Maleficarum in the bookshelf, and puts everyone in jail because of iron-clad proof that the family living there burn people alive.