Skip to main content

Triaging DAST Vulnerabilities

Checkmarx One tracks specific risk instances throughout your software development life cycle (SDLC). Each risk instance has a Predicate associated with it, comprising the following attributes: State, Severity, and Notes. After reviewing the scan results, you can triage them and modify these predicates accordingly.

You can adjust the predicate for a specific risk while viewing that risk on the All Risks page.

When changing the Result State to Not Exploitable or Proposed Not Exploitable, a note is required to confirm the change. A change log at the bottom tracks all past changes for a single result. When multiple results are updated, the Edit title includes the number of selected results, and hovering over the State dropdown displays them.

Notice

You need dast-update-result-not-exploitable, dast-update-result-state-propose-not-exploitable, and add-notes permissions to use this feature.

mandatory_comment.png
edit_multiresults.png

Triaging a Single Vulnerability

To edit the result predicate:

1. Open the vulnerability that you would like to edit.

2. Click on the Severity button

6790251132.png

3. To change the state, click on the State field, and select from the dropdown list one of the following states:

  • To Verify

  • Not Exploitable

  • Confirmed

  • Urgent

  • Proposed Not Exploitable

    6790251117.png

4. To change the risk level, click on View Findings, and from the drop-down list select one of the following risk levels:

  • Urgent

  • Medium

  • Low

  • Info

6790251123.png
6790251102.png

There is also the possibility to change the State in this window.

6790251099.png

5. To confirm the changes, click Save .

6790251096.png

Triaging Multiple Vulnerabilities (Bulk Action)

To edit the result predicates for multiple vulnerabilities:

  1. In the All Risks table, select the checkbox next to the risks you want to change.

    A menu bar is displayed at the top of the table.

    6790251093.png

  2. To adjust the severity, click Change Severity, and select one of the following severities from the drop-down list: Critical, High, Medium, Low, or Info.

  3. 6790251090.png

    To adjust the state, click Change State, and select from the drop-down list one of the following states:

    To Verify, Not Exploitable, Confirmed, Urgent, or Proposed Not Exploitable.

    6790251087.png
In this section: