Triaging issues in an application

All issues are classified as 'new' by default. You can see an issue classification by viewing the issue status. If no issues display for an application, associate a security scan with the application. Otherwise, you must manage your issues from a report in the Scans view. If you move a scan job from one application to another, you won't lose any of your issue management changes.

Before you begin

  1. You must have either global "Manage Issues on All Applications" permissions, or have Basic/Full permission on the specific application before you can triage any of its issues.
  2. If a scan is not associated with an application, triage its issues through the reports in the Scans view (same as 9.0.0.1 and earlier).
Learn more about issue classification:

You can exclude issues that are false positives or that are resolved from future views. Use Issue Classification to mark New issues as Open, Fixed, In Progress, Passed, or as Noise to reduce confusion and track progress better.

Use issue triage to do the following tasks:

Reduce noise so that you can focus on the real issues.
While you are reviewing issues, you can classify those issues that do not need to be fixed as noise or passed. Noise issues include those issues that might be false positives. Passed issues require manual verification or review. After you classify issues as noise or passed, you can then focus on other issues, such as open, reopened and in progress. Issues that are open or reopened have a negative impact on your overall summaries.
Track progress toward remediation.
You can track progress by evaluating each new issue and classifying it as open, fixed, in progress, noise, or passed. Assigning issues a status helps you better manage the volume of issue data. You can identify and track what issues to fix first and what does not need to be fixed at all.
Show positive results.
Classifying issues also helps you show positive results or progress in your organization's scores to give your key stakeholders a more realistic picture of your site's performance.

Procedure

  1. In an application tab, group by Severity, Issue Type, Status, or Scanner, and expand the category sections that are of interest to you.
  2. Click Issue ID > Edit Attributes for any new issue to open the About this Issue report. This report contains valuable information about the issue, such as advisories and fix recommendations. Use this information to help you determine whether the issue is really an issue for your organization. Add comments if necessary, but note that they can't be deleted.
  3. To change an issue status from a new state:
    1. Verify that an issue is really an issue according to your corporate standards before you change its status or assign it to be fixed. Click the Location link to open the page in a new browser. By checking the live page of the issue, you can see the full context of the issue as your website users might experience it.
    2. If the issue needs further attention but you are not assigning it yet to be fixed, classify it as open.
    3. Assign it to a team member to fix by classifying it as in progress. In the sidebar, click just the In Progress filter to display only those issues. Copy the URL into an email and send it to the team member who is responsible for fixing the issues.
    4. Customize the issue list view so that issues with a particular status are hidden from view: fixed, noise, and passed. Go to List menu > Customize View to make your selections. Then, as you classify issues with one of these statuses, they disappear from the list so that you can continue focusing on the issues that need attention.
      Note:
      1. New in 9.0.3.1. iFix2: By default, Scan Coverage Findings are filtered from view. To remove the default, go to List menu > Customize View and clear the Scan Coverage Findings check box. This affects the formulas that display in the Portfolio tab, because the formulas don't include scan coverage findings in their calculations.
      2. You can add the issues back to the list by removing the applicable filter in the Customize view dialog.
      3. These filters do not affect the quick stats counts in the application sidebar.
      4. When you mark an issue as fixed, the date and time are recorded in the About this Issue dialog.
    5. When the issues are fixed, run the appropriate scans again and repeat the process until all of the issues are triaged.
  4. Modify issue attributes to add more information. For example, some information might not be available when you import issues from a third-party scanner, such as a description or CVSS metrics. To learn more about modifying CVSS metrics, see Changing the severity of an issue by modifying its CVSS score.
    Note: Any issue attributes that you edit for this application do not affect issues in other applications, even if an issue is associated with another application.
  5. Click Save Attributes and close the dialog.