My guess would the third of your options, it feels like a scanning tool artifact.
However, my point was that even given the age of the OWASP Top 10 and its incredible brand recognition among developers globally, the IBM bulk application scans are still finding (At least some of) these issues.
Interesting point about taxonomies of security flaws, similarly taxonomies of security attacks are also hard (Wicked maybe). This may be due to the difficulty of fully defining the world of unexpected or unwanted application behaviour. There is something complex about the space of possible attacks (or flaws) that resists classification at anything other than at such a level of foundational definition to be practically useless in the real world.
However, my point was that even given the age of the OWASP Top 10 and its incredible brand recognition among developers globally, the IBM bulk application scans are still finding (At least some of) these issues.
Interesting point about taxonomies of security flaws, similarly taxonomies of security attacks are also hard (Wicked maybe). This may be due to the difficulty of fully defining the world of unexpected or unwanted application behaviour. There is something complex about the space of possible attacks (or flaws) that resists classification at anything other than at such a level of foundational definition to be practically useless in the real world.