Third-party integrations retrieve the vulnerable item detection data. Detections are distinct occurrences of vulnerabilities as reported by the scanners.

Detection data are paired with vulnerable items (VIs, VITs) and the VI state is updated based on the state of the detections. If a VI isn’t found, a new one is created. Detections are only opened or closed by the data that is found directly by a scanner.

If all detections are closed for a vulnerable item, that vulnerable item is closed. On the VI record, the state is Closed/Fixed. When all VIs are closed for a remediation task, the remediation task is closed. The state flow otherwise remains the same.

Closed VIs with a substate of fixed or stale are reopened if a new detection is created and the VIs can be matched with the new vulnerability.

Starting with version 20.0 of Vulnerability Response, if a detection is Stale and the associated VI is in Closed state, the VI's state doesn't transition to Closed - Stale. This is to avoid the VI from reopening when a new detection is identified so that you can avoid going through the entire false-positive request and approval process. To reverse this behaviour, deselect the Ignore stale detections for closed VIs check box on the Auto-Close Configuration form. For more information, see Automatically close stale detections in Vulnerability Response.

As per the script include, DetectionBase, method _shouldReOpenVI(), if the VI was earlier Closed with a substate of Fixed, Stale, or CI Decommissioned, it is reopened, and the detection is mapped to the existing VIT.

For example, let's say that a VI's closed date is later than the lastfound date of a detection. You would expect these VI records to remain closed. However, if you see that a previously closed VI has reopened, it means that the VI was closed by an earlier detection and the vulnerability was found again in a later scan. When a new detection is found that matches the closed VIT that has the same vulnerability on the VI's configuration item, the VI is reopened.