diff --git a/todo/nmap.txt b/todo/nmap.txt
index f30de2549..23939e43b 100644
--- a/todo/nmap.txt
+++ b/todo/nmap.txt
@@ -106,6 +106,11 @@ o Web: We should probably distribute RapidSSL intermediate certificate
   SSLCertificateFile which looks something like:
   SSLCertificateChainFile /etc/apache2/rapidssl.pem
 
+o Investigate Checkmarx static analysis report of Nmap source tree
+  that someone sent us on Feb 12.  It looks like mostly false positives,
+  but we should go through to check for any real bugs or even possible
+  security issues.  Fyodor has the report.
+
 o Make CONCURRENCY_LIMIT in nse_main.lua at least the min-parallelism.
   Otherwise NSE is limited to 1000 socket-using threads even if you've
   requested more.