Issue status classifications and workflow

Issues can be classified as new, open, in progress, noise, reopened, passed, and fixed. Issues with a status of open and in progress and reopened appear in the issues grid of an application.

New

All issues, including those issues that are imported from 3rd party scanners, are marked as new by default when they are not yet triaged.

Open

You assign an issue as open during triage to indicate that you triaged it and determined that it is a problem that must be addressed. Open issues remain open indefinitely until you change their status or they no longer appear in the scan data. For imported results, such as payloads from AppScan Standard, this means the issue is absent from the newly uploaded file.

In Progress

You assign an issue as in progress to indicate that someone is working on fixing the issue. Issues marked as in progress remain in this state until you change their status or they no longer appear in the scan data. For imported results, this means the issue is absent from the newly uploaded payload file.

Fixed

You assign an issue as fixed to indicate that the issues were addressed. Each issue is date and time stamped in the About this Issue dialog. Issues marked as fixed should not appear in subsequent scan data. If a native scan detects the issue again, or if it is present in a subsequently imported payload file, its status automatically changes to reopened.

Noise and Passed

You assign an issue as noise or passed to indicate that the issue is not relevant and should no longer be considered an issue. Issues are often marked as noise because they are false positives. Passed issues are typically marked as such because a subject matter expert determined that the issue, although present on the site, does not constitute a problem in the context of the current report. For example, the passed state is useful when you are evaluating accessibility guidelines or regulations. When issues are no longer relevant but continue to appear in reports, they can make you lose focus on the real website issues.

Issues that are marked as noise and passed are never reopened. If subsequent native scans continue to detect these issues, or if they continue to appear in imported payload files, they remain marked as noise or passed.

Reopened

Issues are automatically classified as reopened when they were previously assigned a fixed status, but they recur in the next scan or imported payload file. Reopened issues remain reopened indefinitely while they continue to appear in the scan data or imported files. This state helps you identify issues that need further investigation or that must be escalated in your remediation process.

Workflow

Classifying issues for the first time

The first time your application is scanned, 100 issues are identified. After you analyze the results, you determine that five false positives were discovered. You mark these five issues as noise so they do not appear in the issues list when you run the job again or import a new payload.

You also determine that 10 other issues meet your standards and mark them as passed so they do not display when you rescan the application or import new results.

Assigning issues to team members

You now have 85 issues and you assign them to various developers to be fixed. You mark these 85 issues as in progress, so that if you stop the analysis part way, you know where to resume reviewing the issues. You can also use the in progress status to indicate that the issue is being addressed.

As developers fix the problems and update the application, you mark their in progress issues as fixed.

Issue management workflow for multiple users

Because web development is typically a team effort, managing issues in a team environment can become complicated. When you update an issue state, the change is written immediately to the database; anyone else viewing the data sees the issue with its new state.

If two users manage the same issue, the issue is updated by the last user to modify the issue. For example, if Miriam marks issue A as fixed, but later Omri marks issue A as noise, then issue A's status is noise. To avoid conflicts, establish a schedule for issue management where Miriam performs issue management tasks on Tuesday, and Omri does on Thursday.

Results

When you finish classifying the issues, you can immediately see the status changes that you made.

The next time you scan the application or import new results, expect the following behavior:
  • If you mark an issue as fixed and a subsequent scan or imported payload file contains the issue, it appears as an reopened issue.
  • The issues that are marked as in progress remain classified as in progress.
  • New issues are marked as new.