Before you begin: You must have the Reviewer or Security Lead role to assign mitigating factors to a flaw in the Triage Flaws page.
To complete this task:
- In the Triage Flaws page, select the checkbox in the ID column to check out the flaw. The green lock icon appears in the column.
- Click the arrow next to the checkbox to expand the details for the flaw.
-
From the Action dropdown menu, select one of these mitigations:
- Mitigate by Design to state that custom business logic within the body of the application, which may not be fully identifiable by an automated process, addressed the vulnerability.
- Mitigate by Network Environment to state that an environmental control provided by the network the application is running on addressed the vulnerability.
- Mitigate by OS Environment to state that an environmental control provided by the operating system on the machine the application is running on addressed the vulnerability.
-
Potential False Positive to state that Veracode has incorrectly identified something as a vulnerability.
Note: If you identify a flaw as a potential false positive, it does not cause Veracode to remove a potential false positive from your published report. Your organization can remove a potential false positive from the published report by approving it. If your organization approves a flaw as a false positive, your organization is accepting the risk that this flaw might be valid.
-
Reported to Library Maintainer to state that the current team does not maintain the library containing the flaw. You referred the vulnerability to the library maintainer.
- Accept the Risk to state that your business is willing to accept the risk associated with a finding. Your organization evaluated the potential risk and effort required to address the finding.
-
In the Comments field next to the Action menu, enter your reasoning for your proposed mitigation. You cannot save your mitigation without entering comments.
- Click Save. Saving your action also checks the flaw back in.
Note: A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.