Hi Dave562,
Yes, this is the correct answer. I somehow replied to the wrong thread, sorry about that.
The limitation is related to validators of path-traversal-like vulnerability (S2083 and S6096). It doesn’t affect other rules. The “universal” way to protect against path traversal happens in two steps: compute the normalized/canonical path, then make sure this path is not located outside of the destination folder. As of today the engine does not correctly support this two-step validation and it leads to false-positive. I don’t know when we will be able to overcome this limitation.
Pierre-Loup