I am trying to understand in the new version of Fortify SCA 17.10, why the scan defaults to excluding third-party libraries? I found this article and it seems any open source library you use, it would be in your best interest to get these issues fixed by poll request. I noticed some of the findings I get from a Fortify scan are typically false positives, is this why now Fortify excludes third-party libraries? Is there a legitimate reason for this?
I guess this is because of you as the owner of the code cannot really fix an issue in a third-party library. The only thing you can do is suppressing the issue. This can be even true in case of dependencies maintained by another team of the same company. So I try to manage this as an opportunity to make the auditing process simpler by using these settings.