[invokestatic]

Checking version numbers usually isn’t a good way of determining whether software on Linux is vulnerable to CVEs. Big distros (especially Red Hat derivatives) lock software versions but back port security patches. Reporting “vulnerabilities” solely based on reported version number is pure noise.

[cpburns2009]

This reminding me of pointless PCI scans that flag you for using a vulnerable version of Nginx or a VPN software because that version has a CVE on record. This ignores the fact that the distro version is patched for the non-exploitable CVE.

[evilDagmar]

Oh, one of my absolute favorite things is setting ServerTokens ProductOnly, so that scrubs will freak right out when they see their canned vuln scanner get bug-eyed and basically scream that the server might be vulnerable to every possible exploit ever written.