This causes a blocker issue. If I remove either PUT or POST the issue is gone. However the description states that this is only an issue if method is missing.
The rule should be refined to disallow GET to be mixed with other verbs rather then disallowing multiple verbs. I don’t see that having PUT and POST handled by a single controller creates a security vulnerability and doing so makes sense in some cases.
Description of common unsafe methods: PUT, DELETE, POST
Unsafe methods are used to change the state of an application, thus they are sensitive operations, but this guideline is not often followed for example another user reported to us that OpenID connect uses both GET and POST methods to simply retrieve some information. Thus, we will also change the issue type of this rule to security-hotspot with all the explanations for developers to help them during the review.