Fix groups

Fix groups currently apply only to issues found in static analysis scans.

Fix groups are a new approach to managing, triaging and solving issues found during static analysis scan. Once you have run a static scan, AppScan on Cloud organizes the issues found into fix groups based on vulnerability type and the required remediation task. In every new static scan, new issues are added to these groups, and new groups are created as needed.

Each Issue belongs to a single Fix Group, that is shown in the application's Fix Group tab and in Scan Reports. There are three types of fix group:
Common Fix Point
Contains issues that share the same vulnerability. The entire group can be remedied by a single fix (one code point).
Common API
Contains issues that are related to the same API call. A common API group puts findings with the same root cause together if they cannot fit into a common fix point group. This lessens the context switching when reviewing results and applying the fix. In general, the fix is similar for each of the affected findings; the same fix can be applied to all issues in the group.
Common Open Source
Contains issues identified in third-party code, based on the library in which they were found. For each vulnerable library identified in the application, a fix group is created. Each fix group can have one or multiple vulnerabilities depending on how many vulnerabilities were found in the specific library. The same fix can be applied to all issues in the group.

Issues in any group always share the same vulnerability type.

Fix Group Severity

Fix Group Severity is determined by the highest severity of all the issues it contains.

Fix Group Status

Fix Group Status is assigned only when all issues in the group have the same status.

When you change the status of all issues in a group, you can choose whether to apply the same status to the issues added to the group from future scans by selecting the Automatically apply to future issues checkbox. Note that the Automatically apply to future issues option, also known as "StickyStatus" or "IsSticky" in the API and the audit trail user interface respectively, is the same. Additionally, selecting this option prevents you from modifying the status of any individual issue that is part of this group.

If you do not select the Automatically apply to future issues checkbox and new issues with different status are added from future scans, then the group's status will change to Mixed.

Tutorial

The Issue details pane displays comprehensive information about the issue, including a trace that indicates fix location and relevant issue properties.