Application Vulnerable Item fields

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read

    • Application vulnerable items (AVITs) are automatically created during third-part vulnerability integration imports.

    Application vulnerable item fields

    Except for the Assignment group, Assigned to fields and Notes, all other fields in the AVI are read-only.

    Field Description
    Number Automatically generated AVI identifier for this record.
    Scan type Type of scanner that found this AVI.
    Choices are:
    • Dynamic
    • Static
    • SCA
    Risk rating Quantified Risk Score separating vulnerable items into Critical, High, Medium, Low, and None. For more information on risk ratings, see, Calculate risk in Application Vulnerability Response automatically.
    Risk score

    Calculated amount of risk the AVI poses to your environment.

    For more information, see Calculate risk in Application Vulnerability Response automatically.
    Remediation commitment date The date AVITs should be remediated after it is moved into Under Investigation. This field only appears if the AVIT is in Under Investigation.
    Remediation target Date by which the AVITs should be remediated, since first identified. Only appears when applicable.

    For more information on remediation targets, see Automate remediation target tracking in Application Vulnerability Response.
    Remediation status

    Status of the remediation for the AVIT. It is determined by the AVIT with the nearest due date, when applicable.

    States include:
    • In-flight
    • Approaching Target
    • Past Target
    Category Name Name of the category of the vulnerability.
    Vulnerability ID of the vulnerability associated with this application vulnerable item.
    Application release Version of the application.

    Application module

    		 Affected application in DAST scan. Hidden for SAST scans.
    Location

    Version 14.0: SAST

    DAST: URL location of the vulnerability within the application.

    SAST: File path and line number of the vulnerability within the application.
    State This field defaults to Open when created. See Application Vulnerable Item (AVI) states for more information on how states are mapped.
    Reason [Only visible when the AIV is in the Closed state.] Explanation of the State.
    Assignment group Group selected to work on this AVIT. Can be manually added or edited by an App-Sec Manager.
    Assigned to Individual from the selected assignment group that works on this AVI. Can be manually added or edited by an App-Sec Manager
    First found Date the third-party source first found the application vulnerable item.
    Last found Date the third-party source last found the application vulnerable item.
    Closed [Only visible when the AVIT is in the Closed state.] Date the AVI was closed.
    Closed by [Only visible when the AVIT is in the Closed state.] Entity that closed the AVIT.
    Summary Imported description of the vulnerability.
    Findings

    Read-only data imported from third-party integration.
    Source AVIT ID Imported identifier for the source AVIT.
    Source severity Imported severity from the source application.
    Source target fix date Imported date by which the source expects the AVIT to be remediated.
    Source mitigation status Imported mitigation status from the source application.
    Source remediation status Imported remediation status from the source application.
    Source finding status [Only visible when populated] Imported issue status from the source application.
    SDLC status Imported Software Development Life Cycle status.
    Complies with Policy Imported compliance status. If not status is provided, this field is set to Not Applicable.
    Source link URL to the source AVIT.
    Source notes Imported notes from the source.
    Vulnerability summary Imported summary from the source.
    Vulnerability explanation Imported explanation from the source.
    Recommendation Imported recommendation from the source.
    References Imported references from the source.
    HTTP Request/Response (only visible for DAST scans)
    Source request HTTP request
    Source response HTTP response
    Notes
    Remediation Plan Details for how the AVITs will be remediated. The plan should be implemented by the Remediation commitment date. This field only appears if the AVIT is in Under Investigation.
    Additional comments/Work notes Any relevant information. Select the text box for Work notes to add information.

    Starting with Vulnerability Response v20.0, you can add work notes in the Notes section for a deferred application vulnerable item.
    Age calculations for an AVIT:
    • The Age column in the AVIT list displays the duration (format: Days HH:MM:SS) for which an AVIT is active. The Age value is zero for a closed AVIT.
    • The Age closed column in the AVIT list displays the duration (format: Days HH:MM:SS) for which an AVI is active before it is closed. For a AVITs, other than in the Closed state, the Age closed value is zero.