Should a GET really need a 400 error, especially if its got no parameters?
Context
I'm working on an API with some fairly simple GET endpoints and the ruleset is asking me to define a 400 for this GET, but I'm not sure I should be defining a 400 for a GET? If it's got no parameters, how could a client make a bad request?
paths:
/stations:
get:
summary: Get a list of train stations
description: Returns a list of all train stations in the system.
operationId: get-stations
responses:
'200':
description: A list of train stations
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Station'
example:
- id: "efdbb9d1-02c2-4bc3-afb7-6788d8782b1e"
name: Berlin Hauptbahnhof
address: "Invalidenstraße 10557 Berlin, Germany"
country_code: DE
- id: "b2e783e1-c824-4d63-b37a-d8d698862f1d"
name: Paris Gare du Nord
address: "18 Rue de Dunkerque 75010 Paris, France"
country_code: FR
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'429':
$ref: '#/components/responses/TooManyRequests'
'500':
$ref: '#/components/responses/InternalServerError'
Current Behavior
The above example gives this warning:
19:17 warning owasp:api3:2019-define-error-validation Missing error response of either 400, 422 or 4XX. paths./stations.get.responses
Expected Behavior
I think, but am not entirely certain, that this error should be skipped.
Possible Solution(s)
Check for parameters and if none exist skip this message?
Should a GET really need a 400 error, especially if its got no parameters?
Context
I'm working on an API with some fairly simple GET endpoints and the ruleset is asking me to define a 400 for this GET, but I'm not sure I should be defining a 400 for a GET? If it's got no parameters, how could a client make a bad request?
Current Behavior
The above example gives this warning:
Expected Behavior
I think, but am not entirely certain, that this error should be skipped.
Possible Solution(s)
Check for parameters and if none exist skip this message?