False Positive overview

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 3 minutes de lecture

    • A false positive is a condition wherein the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability. There can be multiple reasons like incorrect classification, improper logic or algorithm in the scanner. The remediation owner can mark vulnerable items (VIs) or remediation tasks (RTs) as false positives.

    Important :
    You can mark the host vulnerable items as false positive in bulk in the Vulnerability Manager Workspace. For more information on how to mark the host vulnerable items as false positive in bulk, see Bulk edit for false positive in the Vulnerability Manager Workspace.

    Life cycle of a false positive

    Meaning of false positive
    The scanner sometime gives a warning, when in reality there is no vulnerability. For example, if a configuration item has been decommissioned but the scanner is still raising an issue related to it, mark it as a false positive.
    Marking as a false positive
    For details on marking a VI or RT as a false positive, see Mark as a false positive.
    Working with the false positive
    Once a VI or RT is marked as a false positive, the state is updated to Closed and the substate is changed to False Positive. The following actions can be performed:
    • Reopen
    • Delete
    • Update the date in the Until field. This date is then used as the expiry date for the false positive.
    Remarque :
    If not approved, the VI or RT reverts to its previous state.
    Approving a false positive
    The approver can approve the false positive from their approval workflow.
    Remarque :

    Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.

    Reopening a false positive
    A VI or RT in a false positive substate can be reopened anytime.
    Tracking a false positive
    Use the State Change Approvals section to track the status of the false positive. Once approved, the state of the VI or RT is updated to Closed and the reason is False Positive.
    Expiry of a false positive
    Only the false positive approver can set an Until date for the false positive, for the VI or RT to expire. Also, only false positives for which the approver has provided an Until date can expire. This date can be provided after the false positive is approved.
    A false positive without an Until date is a permanent false positive. After the false positive expires, the state of the VI or VR moves back to Open.
    Remarque :

    Starting from v21.0 of Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.

    Figure 1. False positive approval process prior to v15.0
    Life cycle of a false positive

    The approval process is automatic if all VIs pass the next scan. The VIs auto-close regardless of the current state. The VIs or, where applicable, the RT State fields change to Closed with the substate Fixed.

    For more information, see Marking and approving a false positive.