Propose Mitigating Factors for a Flaw
Before you begin:
You must have the Reviewer or Security Lead role to assign mitigating factors to a flaw in the Triage Flaws page.
To complete this task:
In the Triage Flaws page, select the checkbox in the ID column to check out the flaw. The green lock icon appears in the column.
Click the arrow next to the checkbox to expand the details for the flaw.
From the Action dropdown menu, select one of these mitigations:
- Mitigate by Design to state that custom business logic within the body of the application, which may not be fully identifiable by an automated process, addressed the vulnerability.
- Mitigate by Network Environment to state that an environmental control provided by the network the application is running on addressed the vulnerability.
- Mitigate by OS Environment to state that an environmental control provided by the operating system on the machine the application is running on addressed the vulnerability.
- Potential False Positive to state that Veracode has incorrectly identified something as a vulnerability.
If you identify a flaw as a potential false positive, it does not cause Veracode to remove a potential false positive from your published report. Your organization can remove a potential false positive from the published report by approving it. If your organization approves a flaw as a false positive, your organization is accepting the risk that this flaw might be valid.
- Reported to Library Maintainer to state that the current team does not maintain the library containing the flaw. You referred the vulnerability to the library maintainer.
- Accept the Risk to state that your business is willing to accept the risk associated with a finding. Your organization evaluated the potential risk and effort required to address the finding.
In the Comments field next to the Action menu, enter your reasoning for your proposed mitigation. You cannot save your mitigation without entering comments.
Click Save. Saving your action also checks the flaw back in.
A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.