Triaging IaC Security Results
Checkmarx One tracks specific vulnerability instances throughout your SDLC. Each vulnerability instance has a ‘Predicate’ associated with it, which is comprised of the following attributes: ‘State’, ‘Severity’ and ‘Notes’. After reviewing the results of a scan, you have the ability to triage the results and modify these predicates accordingly. For more info about triaging results in Checkmarx One, see Managing (Triaging) Vulnerabilities.
You can adjust the predicate for a specific vulnerability while viewing that vulnerability on the Scan Results page.
Warning
Only users with the Checkmarx One role update-result (e.g., a risk-manager) are authorized to make changes to the predicate. Only users with the role update-result-not-exploitable (e.g., an admin) are authorized to mark a vulnerability as ‘Not Exploitable’.
Triaging a Single Vulnerability
To edit the result predicate:
Navigate to the vulnerability that you would like to edit.
To adjust the severity, click on the Severity field, and select from the dropdown list the severity that you would like to assign. Options are: Critical High, Medium, Low, Info.
To adjust the state, click on the State field, and select from the dropdown list the state that you would like to assign. Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Note icon in the toolbar. In the Notes pane that opens, click + Add and then enter the desired text and click the Add button at the bottom.
Triaging Multiple Vulnerabilities (Bulk Action)
To edit the result predicate for multiple vulnerabilities:
In the Vulnerabilities table, select the checkbox next to each vulnerability for which you would like to make the changes.
Note
Alternatively, you can select all instances in a group of vulnerabilities by selecting the checkbox at the top of that section.
A menu bar is shown at the top of the table.
To adjust the severity, click on the Change Severity button, and select from the dropdown list the severity that you would like to assign.
Options are: Critical High, Medium, Low, Info.
To adjust the state, click on the Change State button, and select from the dropdown list the state that you would like to assign.
Options are: To Verify, Not Exploitable, Proposed Not Exploitable, Confirmed or Urgent.
To add a note, click on the Add Note button. In the Notes pane that opens, enter the desired text and click Save.
