Working Collaboratively in Triage Flaws

Results and Reports

The Triage Flaws page enables a team of developers and security reviewers to work with the flaws reported by Veracode. The types of collaboration on the Triage Flaws page include discussing flaws via comments from multiple reviewers, documenting mitigating controls, and documenting potential false positives.



Tracking Comments from Multiple Reviewers

You can make a comment on a flaw that can be reviewed by other team members. Notes about possible remediation methods, work assignments, and other shared notes can be made as comments on the flaw. Because user comments are not exported on reports, the team can treat the comments as a private "working area" while they remediate flaws.

To leave a comment on a flaw, do the following:

  1. Check out the flaw.
  2. Select Comment from the Action list (if it is not already selected).
  3. Enter a comment (up to 1024 characters) in the comment text field and click Save.
  4. Check the flaw back in.

Marking a Flaw as a Potential False Positive

Veracode tries to provide a low volume of incorrectly reported flaws, but occasionally you may find a flaw that is not valid. If you think that Veracode made a mistake in identifying something as a flaw, you identify the flaw as a potential false positive. Veracode periodically reviews issues reported as false positives as part of a continuous improvement process.

If you identify a flaw as a potential false positive, it does not cause Veracode to remove a potential false positive from your published report. Your organization can remove a potential false positive from the published report by approving it. If your organization approves a flaw as a false positive, your organization is accepting the risk that this flaw might be real.

To mark a flaw as a potential false positive:

  1. Check out the flaw.
  2. Select Potential False Positive from the Action list.
  3. Enter the reason you think that the flaw is a potential false positive (up to 1024 characters) in the comment text field and click Save.
  4. Check the flaw back in.

To approve a potential false positive and remove it from the report:

  1. Check out the flaw.
  2. Select "Mitigation Accepted" from the Action list.
  3. Enter the reason for acceptance (up to 1024 characters) in the comment text field and click Save.
  4. Check the flaw back in. The flaw is removed from the report and shows in the list of mitigated flaws.

Reviewing Other Users' Activities

You can see other comments, mitigation descriptions, and potential false positive notes for each flaw. All activities are saved along with the user id making the change and the time at which the action was taken in the list of past actions for the flaw.