Managing Issues
Veracode Risk Manager (VRM) takes similar hazardous findings from various tools and groups them together per asset as issues. VRM auto-investigates these issues, providing context for prioritizing by severity and urgency, and identifies solutions.
Active issues need attention to reduce risk. Noted issues are being addressed or mitigated to an acceptable level. Resolved issues document how risks were handled.
This guide will help manage your security issues through their lifecycle until they are resolved. You can manage issues on the Issues page, as described in this guide, or on the Issue Details page for the specific issue.
Create a Ticket
In VRM, you can create tickets to track issues in your ticketing system.
Prerequisites:
- Have the Admin role in VRM.
- Have a VRM connector enabled for your ticketing system.
To complete this task:
-
Log in to VRM.
-
Select the Issues icon
. -
Select the checkbox next to the issue for which you want to create a ticket.
-
Select Actions > Create Ticket.
-
Enter the necessary information on the ticket. Additional instructions are available for Jira and ServiceNow.
NOTE: By default, issues associated with new tickets you create move to the Status of Noted, which is the recommended status for issues with open tickets.
-
Select Create Ticket.
When the ticket is created, a pop-up window appears in VRM that includes a link to the ticket.
Change the Status of Issues
In VRM, you can set the status of an issue. The statuses in the issue lifecycle are:
- Active: The issue is currently being reviewed or has not been reviewed yet. The default for new issues.
- Noted: The issue is still present, but it has been reviewed and a decision has been made about it.
- Resolved: The issue is no longer present, and it contributes no risk.
Prerequisites:
Have the Admin role in VRM.
To complete this task:
-
Log in to VRM.
-
Select the Issues icon
. -
Select the checkbox next to one or more issues you want to update.
-
Select Actions > Mark Issue As [Status].
-
Select a reason for the status change. See Reasons for Changing the Status of Issues for more information.
-
Optionally, add a comment with more details about the status change.
-
Select Mark Issues As [Status].
Reasons for Changing the Status of Issues
VRM lets you select different reasons for changing the status of an issue depending on the current status of the issue.
Active to Noted
You can select the following reasons for changing the status of an issue from Active to Noted:
| Reason | Description |
|---|---|
| Remediating Risk | We will fix this issue to effectively eliminate the risk. |
| Mitigating Risk | We will reduce the risk, though not fully eliminate it (e.g. compensating controls). |
| Transferring Risk | Another group will be responsible for the risk and is investigating this. |
| Accepting Risk | The risk is still there, but we do not plan to address it. |
Noted to Active
You can select the following reasons for changing the status of an issue from Noted to Active:
| Reason | Description |
|---|---|
| Needs more risk analysis | Further investigation is required before we can make an issue resolution decision. |
| Needs different solution | A different solution is needed to address this issue. |
| Issue was not supposed to be Noted | Correcting an unintentional issue status change. |
Active or Noted to Resolved
You can select the following reasons for changing the status of an issue from Active or Noted to Resolved:
| Reason | Description |
|---|---|
| Issue Remediated | The risk has been eliminated by fixing the issue. |
| Asset Retired | The asset that had the issue has been removed. |
| Risk Out-of-Scope | The asset and/or issue are not in scope for risk analysis. |
| Duplicate Issue | The issue has a duplicate unresolved issue. |
| False Positive | The issue was a false positive with no actual risk. |
To Current Status
You can select the following reasons when setting the status of an issue to its current status:
| Reason | Description |
|---|---|
| Update Comment | Update the comment for this issue. |
Resolved to Active or Noted
Typically, you do not change the status of resolved issues. In some cases where you manually resolved an issue, you can select the following reasons to change the status:
| Reason | Description |
|---|---|
| Issue was not resolved | The issue was not resolved and needs further investigation. |
| Issue was not supposed to be Resolved | Correcting an unintentional issue status change. |