Set vulnerability policy

Administrators can define requirements for vulnerability policy based on any vulnerability rule, severity, application(s) and route which should comply.

To create a new policy:

  1. Under policy management, select Vulnerability management.

  2. In the grid, select the Auto-verification or Violation tab, and then Add policy.

  3. In the panel that opens, enter:

    • Name (required)

    • Vulnerability rules: Select individual rules, all rules, or rules for vulnerabilities of a particular severity.

    • Applications: Select individual applications, all applications, or applications affected by vulnerabilities of a particular severity.

    • Environment: Select all environments, or just development, test or production.

  4. To add a time-based trigger, select the box next to Auto-verify any existing vulnerability after: and enter a time limit, to ad a time based trigger.

    Route-based triggers only work for certain technologies with identifiable routes. If this is available, you can also select a route-based trigger.

    Note

    When using a policy with a route-based trigger, it is recommended to also use define a time-based trigger to account for those vulnerabilities which have been remediated in such a way that cannot be associated back to the original finding in Contrast. Typically, these cases only arise when the code was deleted, and therefore cannot be re-exercised, or redefined such that it occurs on a different route.

  5. Select Save.

Important

If multiple policies affect the same vulnerability, the following rules determine Contrast's course of action:

  • Between two time-based triggers, the action with the closest deadline applies first. For example, if a violation deadline applies first, the vulnerability is flagged and then auto-verified when the later deadline applies.

  • Auto-verification policies take precedence over violation policies. For example, if an auto-verification deadline applies first, the vulnerability is closed and never flagged.

Note

If Contrast rediscovers a legitimate vulnerability that was auto-verified, Contrast will reopen the vulnerability as usual.

In this section: