Skip to main content

MPT flaw matching

The MPT Flaw Matching feature evaluates findings from successive MPT tests of the same asset, such as an application or API. It identifies recurring findings across multiple tests and links the matched instances together. This link ensures that all instances of the same finding across successive tests trace back to the original test in which it was first identified.

MPT Flaw Matching adds the following information to findings:

  • First found dates that display the publication date of the test in which we first identified the finding.
  • Consistent flaw IDs for each finding across test results. When we identify the same MPT finding in multiple tests of the same application, all instances inherit the flaw ID from the first time we found it.
  • A status, such as New or Fixed.

First found date

The first found date indicates when a finding was first identified during a test. The value is the publication date of the test results from the test in which we found the finding. For example, if we run tests in January, February, and March, and the January test found two findings that remain open, those findings appear in the March test results with a first found date of January.

Any findings identified before the release of MPT Flaw Matching might have inaccurate first found dates.

Because MPT findings retain their first found dates, you can include them in the remediation grace periods of any security policies applied to your applications. Grace periods provide teams flexibility in meeting security compliance goals before certain findings impact the application’s policy score.

MPT finding statuses

In the results, each MPT finding shows one of the following status values.

  • New: findings identified for the first time in the latest test. All findings from the initial test show a New status.
  • Open: unresolved findings that were identified in a previous test and again in the latest test. Open findings retain their original flaw IDs (assigned the first time they were identified) and their first found dates. Any New findings identified during an initial or subsequent test that we also identify in the latest test change to Open status.
  • Fixed: resolved findings identified in a previous test but not in the latest test. Fixed findings retain their original flaw IDs (assigned the first time they were identified) and their first found dates.
  • Closed: findings that we did not identify during two successive tests. When a finding is Closed, we remove it from the results in the Veracode Platform Analytics and reports.

About historical MPT findings

MPT Flaw Matching does not support any findings identified in a given application before the release of the flaw matching feature. These findings continue to show an Open status, and results from the latest test replace the results from the previous test.

To start using the benefits of MPT Flaw Matching on an application that you tested previously, you must run a new test on the given application. When we publish the results of the first new test, all findings will have a New status.

Last updated on