Document status for vulnerabilities
Issue to define final statuses for vulnerabilities.
Statuses
Detected:
Definition: A vulnerability that was detected by the system and has no prior status. Detected is the default
state for vulnerabilities.
Confirmed:
Definition: A vulnerability that was manually confirmed by the user by changing its status. A confirmed vulnerability is a true-positive and generally requires remediation/removal.
Dismissed:
Definition: A vulnerability that was manually dismissed by the user by changing its status. A dismissed vulnerability can be either a false-positive, or a true-positive that the user does not want to fix for one or more reasons. Typically these reasons can be; the vulnerability is a duplicate of another existing vulnerability, or a vulnerability is so low in risk that the user "accepts risk" and dismisses it.
Resolved:
Definition: A vulnerability that was manually set to the resolved status by the user during the review of the vulnerability flagged as remediated by the system.
end-to-end resolution workflow:
- The system detects vulnerability [status = detected]
- User triages vulnerability and confirms it is a true-positive and requires remediation. [status = confirmed]
- User creates an issue from vulnerability
- Issue prioritized and sent to a developer for remediation
- Developer remediates vulnerability and system no longer detects the vulnerability
- System flags vulnerability in vuln list as (remediated: needs review)
- User reviews vulnerability and confirms it has been fixed
- User sets vulnerability status to [Resolved]