Mitigating Flaws

Results and Reports

After a scan is complete, the next step in the workflow is to review all the discovered vulnerabilities in detail. Veracode enables you to sort the flaws and decide if you want to take any mitigation actions to temporarily address the flaw. You can mitigate flaws by making changes to the operating system features, network implementation, or application design. After you mark a flaw as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated flaws removes them from the application score calculation and from being considered in the determination of the application's policy status. The mitigating factors are included in the application report.

Note: You should not consider mitigations as long-term fixes for application security flaws. Environmental changes or new attack techniques can render ineffective many mitigating factors, including network and operating system mitigations. Veracode recommends that you use mitigations as part of a long-term plan to remediate the flaws in the code.

The mitigation workflow involves:

  1. Reviewing the flaws with your team
  2. Proposing mitigating factors
  3. Accepting or rejecting mitigations
  4. Viewing mitigated flaws in the report

You can do all the steps in the mitigation workflow from the Triage Flaws view, which you can access from either the Results section of the left navigation menu or from the application overview. You can perform mitigation actions on one flaw at a time or perform a mass action on multiple flaws at one time. You can accept or reject proposed mitigations from the Mitigated Flaws page.



Reviewing Flaws as a Team

After a scan completes, members of the application security and development teams can review the list of flaws and:

Commenting on Flaws

When you comment on a flaw, other team members can review the comment to share your opinions and offer possible remediation methods, work assignments, and other shared ideas. User comments are not exported on the scan reports, therefore, you can consider the comments as a private type of working area while you and your team remediate flaws.

To comment on a flaw:

  1. Select the empty box in the Id column to check out the flaw. The green lock icon appears in the column.
  2. Click the arrow next to the checkbox to expand the details for the flaw.
  3. In the Action field, select Comment from the dropdown menu.
  4. Enter your comment in as much detail as possible, and click Save. Saving your action also checks the flaw back in.
Note: A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.


Reviewing All User Feedback

You can see comments, mitigation descriptions, and potential false positive reports made by other team members for each flaw. All actions display the ID of the user who left the feedback and the date and time the user performed the action.

Proposing Mitigating Factors

To be able to assign mitigating factors to a flaw in the Triage Flaws page, you must have the Reviewer or Security Lead role.

  1. Select the checkbox in the Id column to check out the flaw. The green lock icon appears in the column.
  2. Click the arrow next to the checkbox to expand the details for the flaw.
  3. From the Action dropdown menu, select one of the following mitigations:
    • Mitigate by Design to state that custom business logic within the body of the application, which may not be fully identifiable by an automated process, addressed the vulnerability.
    • Mitigate by Network Environment to state that an environmental control provided by the network the application is running on addressed the vulnerability.
    • Mitigate by OS Environment to state that an environmental control provided by the operating system on the machine the application is running on addressed the vulnerability.
    • Potential False Positive to state that Veracode has incorrectly identified something as a vulnerability.
      Note: If you identify a flaw as a potential false positive, it does not cause Veracode to remove a potential false positive from your published report. Your organization can remove a potential false positive from the published report by approving it. If your organization approves a flaw as a false positive, your organization is accepting the risk that this flaw might be valid.
  4. In the comments field next to the Action menu, enter your reasoning for your proposed mitigation. You cannot save your mitigation without entering comments.
  5. Click Save. Saving your action also checks the flaw back in.
Note: A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.


Accepting and Rejecting Mitigations

To accept or reject a proposed mitigation, you must have the Mitigation Approver role. To remove mitigations from the policy evaluation and security score calculation, you must accept all proposed mitigations.

To list all the applications that have proposed mitigated flaws, from the Applications page, click Show All Applications with Mitigations. The filtered list that appears lists any application that has a proposed, accepted, or rejected mitigation. From this list, you can click on any application to go straight to the Mitigated Flaws page for that application.



Accepting or Rejecting Mitigations from the Triage Flaws page

A user with the Mitigation Approver role can accept or reject proposed mitigations from the Triage Flaws page of your application. To see a list of proposed mitigations, in the Search field, select "Mitigation" and "= Mitigation Proposed". To view all mitigations except the type you selected, click the equals icon again.
two drop down menus with an exclamation point and equals sign

Note: You can only use the Triage Flaws page to accept mitigations for internally developed applications. To accept mitigations for third-party applications, use the Mitigated Flaws page.


  1. Select the checkbox in the Id column to check out the flaw. The green lock icon appears in the column.
  2. Click the arrow next to the checkbox to expand the details for the flaw.
  3. From the Action menu in the details, select Mitigation Accepted or Mitigation Rejected.
  4. In the Comments field next to the Action menu, enter the reasoning for your decision. You cannot save your action without entering comments.
  5. Click Save. Saving your action also checks the flaw back in.
You can delete mitigation comments if the mitigation is not yet accepted or rejected. To delete a mitigation comment, select the checkbox next to the flaw to check it out, and then click the trash can icon next to the comment you want to delete.
Note: A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.


Accepting or Rejecting Mitigations from the Mitigated Flaws Page

A user with the Mitigation Approver role can accept or reject proposed mitigations in the Mitigated Flaws page for both internally developed and third-party applications. From the Applications page, click Show All Applications with Mitigations. From the list of applications, click View at the end of the row to see a list of the proposed, accepted, or rejected mitigations for the flaws that Veracode discovered in that application.

The Mitigated Flaws page opens. Use the Filter field to sort the flaws by ID, severity, and CWE ID.



To review the details of a flaw and accept or reject an individual proposed mitigation:

  1. Click View at the end of the flaw's row. The Details popup opens.
  2. If you have access to the source code file for the flaw, browse to its location and load it. As in the Triage Flaws page, the source code file is not uploaded to the Veracode Platform but is simply opened by the browser for viewing.
  3. Click the Comments tab to view any comments or mitigations for the flaw.
  4. When you have reviewed the details of the flaw, click either Accept, Reject, or Comment.
  5. Enter a comment (2048 characters or fewer) to explain your action, then click Check in Flaw.
Note: A user with the Mitigation Approver role who has access to your application can also check back in a flaw that you have checked out.


Managing Mitigations for Several Flaws at Once

You can make changes to multiple selected flaws at once, including commenting, marking as mitigated, or approving or rejecting mitigations (if you have the appropriate role permissions). The multiple change performs the selected action on all flaws that you currently have checked out.

Note: The maxium number of flaws you can change in a multiple change is 50,000.

Performing Multiple Changes from the Triage Flaws Page

To change more than one flaw at once from the Triage Flaws page:

  1. Search for the flaws you want to change.
  2. Check out the flaws, either one at a time or by using the checkout button () in the header row to check them all out with one click.
  3. From the Take Selected Action dropdown menu at the top of the pane, select the action to perform on the selected flaws.
  4. Click Go. Veracode confirms the number of flaws you are changing and prompts you for a description of the change.
  5. Click Continue. The Veracode Platform applies the change to the checked-out flaws.
  6. Deselect the flaws one-by-one to check them in, or use the checkin button () in the header row to check them all back in with one click.