Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVIs), at any given time. Knowing how each state relates to and affects each other helps you to determine when and how to remediate your AVIs.

Application Vulnerable Item states

Understanding how states work helps with creating or editing application vulnerable item (AVI) rules. AVIs have several possible states that are mapped from imported Remediation status from the third-party integration. In an AVI, the State field is read-only.

Table 1. Application Vulnerability Response state flow diagram
State Description
Open State upon creation. From this state you can:
V16: Get More Details
Get the following information about an AVI imported from Fortify:
  • Vulnerability summary
  • Vulnerability explanation
  • Recommendation
  • References
  • Request
  • Response
V16: Mark as false positive
Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
V16: Request exception
Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
V15: Close
Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
V15: Resolve
Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
Deferred V15: This is triggered by the Request Exception option. As part of the approval workflow, the Deferred state is In Review and cannot be closed until approved.

From this state you can:

V16: Get More Details
Get the following information about an AVI imported from Fortify:
  • Vulnerability summary
  • Vulnerability explanation
  • Recommendation
  • References
  • Request
  • Response
Reopen
Transitions a closed or resolved AVI back to an Open state.
Close
Select the Closed state, a reason, and provide addition information. Closes the AVI.
Under Investigation Select this option from the State list. From this state you can:
V20.0
Manually transition a remediation task or AVI record to Awaiting Implementation.
V16: Get More Details
Get the following information about an AVI imported from Fortify:
  • Vulnerability summary
  • Vulnerability explanation
  • Recommendation
  • References
  • Request
  • Response
V16: Mark as false positive
Mark an item as false positive if the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability.
V16: Request exception
Request an exception, a reopen (Until) date, a reason, and optionally, provide addition information. Defers the remediation of the item until the date till which an exception is requested.
V15: Close
Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.
V15: Resolve
Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
Awaiting Implementation

You can only transition records to this state manually by selecting Awaiting Implementation from AVI and remediation task records in the Under Investigation state. From this state you can:

Open
Transitions AVI back to an Open state.
Under Investigation
Get more information for resolution. Transitions to Under Investigation.
Resolve
Mark an open AVI as Resolved to move it to a resolved state. You must add resolution notes in the Resolve Application Vulnerable Item dialog box.
Close
Select the Closed state, a reason from the Close Vulnerable Item dialog box, and provide addition information. Closes the AVI.

In this state, Transition a record into Awaiting Implementation when your research and work on a task is complete and although a fix is ready for implementation, it is not yet available.

Set the Remediation Commitment date and Remediation plan fields.

After implementation, you resolve or close the records.
Resolved Triggered from the Resolve button. From this state you can:
V16: Get More Details
Get the following information about an AVI imported from Fortify:
  • Vulnerability summary
  • Vulnerability explanation
  • Recommendation
  • References
  • Request
  • Response
Reopen
Transitions back to an Open state.
Close
Select the Closed state, a reason, and provide addition information. Closes the group.

Notes and Resolution information appear under the Notes tab.
Closed Triggered from the Close button. From this state you can:

Reopen: Transitions back to an Open state.
Note: Refer to the Integrating Application Vulnerability Response with other applications for understanding different integrations that sourced the AVI.

Application Remediation Task states

From the creation to closure of an Application Remediation Task, the Application Remediation Task transitions through various states during the entire remediation process.

The state precedence is as follows:

Closed > Deferred > Resolved > In Review > Awaiting Implementation > Under Investigation > Open

The state transition happens as you perform various actions such as Defer, Open, Close, etc.

The actions you can perform on an Application Remediation Task at a specific state is similar to that of a Host Remediation Task. Hence, for more information, see the Vulnerability Response remediation task states and State roll-up and roll-down scenarios in the Vulnerability Response documentation.

Note: Starting with v23.0 of Vulnerability Response, the Close button has been removed to ensure that the closure of the Remediation task is driven by the scanner.