If you run gotestwaf on a dummy web server that returns OK to every request, it should get zero false positives. This works, of course.
As I understand it, --nonBlockedAsPassed is a convenience; it lets you set up a waf in front of a dummy
server without bothering to make the dummy server actually return OK for every request.
But when I tried the option, it said that all the positive tests had failed; evidently -nonBlockedAsPassed treats 404s as false positives.
It seems the logic in internal/db/statistics.go related to nonBlockedAsPassed does the wrong thing in the isPositive case....?
If you run gotestwaf on a dummy web server that returns OK to every request, it should get zero false positives. This works, of course.
As I understand it, --nonBlockedAsPassed is a convenience; it lets you set up a waf in front of a dummy server without bothering to make the dummy server actually return OK for every request.
But when I tried the option, it said that all the positive tests had failed; evidently -nonBlockedAsPassed treats 404s as false positives.
It seems the logic in internal/db/statistics.go related to nonBlockedAsPassed does the wrong thing in the isPositive case....?