Accept and reject mitigations
Use the Triage Flaws page in the Veracode Platform to accept or reject proposed mitigations on flaws.
To list all the applications that have proposed mitigated flaws, from the Applications page, select Show All Applications with Mitigations. The filtered list that appears lists any application that has a proposed, accepted, or rejected mitigation. From this list, you can select on any application to go straight to the Mitigated Flaws page for that application.
To remove mitigations from the policy evaluation and security score calculation, you must accept all proposed mitigations.
Prerequisites
You must have the Mitigation Approver role.
Using the Triage Flaws page
A user with the Mitigation Approver role can accept or reject proposed mitigations from the Triage Flaws page of your application. To see a list of proposed mitigations, in the Search field, select Mitigation and = Mitigation Proposed. To view all mitigations except the type you selected, select the equals icon again.
You can only use the Triage Flaws page to accept mitigations for internally developed applications. To accept mitigations for third-party applications, use the Mitigated Flaws page.
To complete this task:
- In the Triage Flaws page, select the checkbox in the Id column to check out the flaw. The green lock icon appears in the column.
- Select the arrow next to the checkbox to expand the details for the flaw.
- From the Action menu in the details, select Mitigation Accepted or Mitigation Rejected.
- In the Comments field next to the Action menu, enter the reasoning for your decision. You cannot save your action without entering comments.
- Select Save. Saving your action also checks the flaw back in.
You can delete mitigation comments until the mitigation has been accepted or rejected. To delete a mitigation comment, select the checkbox next to the flaw to check it out, and then click the trash can icon next to the comment you want to delete. After a mitigation has been accepted or rejected, you cannot delete previously added comments.
A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out. Similarly, such a user can delete mitigation comments created by others.
Using the Mitigated Flaws page
You can accept or reject proposed mitigations in the Mitigated Flaws page for both internally developed and third-party applications.
Before you begin:
You must have the Mitigation Approver role to accept or reject proposed mitigations.
To complete this task:
- From the Applications page in the Veracode Platform, select Show All Applications with Mitigations.
- From the list of applications, select View at the end of the row to see a list of the proposed, accepted, or rejected mitigations for the flaws that Veracode discovered in that application.
- Use the Filter field to sort the flaws by ID, severity, and CWE ID.
- If you have access to the source code file for the flaw, browse to its location and load it. As in the Triage Flaws page, the source code file is not uploaded to the Veracode Platform but is simply opened by the browser for viewing.
- Select the Comments tab to view any comments or mitigations for the flaw.
- When you have reviewed the details of the flaw, select either Accept, Reject, or Comment.
- Enter a comment (2048 characters or fewer) to explain your action, then select Check in Flaw.
A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.