Impact of Suppressing a Security Vulnerability
Code Insight 2021 R3
The System Administrator can suppress a security vulnerability for one or more (or all) component versions associated with the vulnerability. Vulnerability suppression takes place at the Code Insight instance level. That is, once a vulnerability is suppressed for a specific component version, it is no longer counted in the vulnerability totals or is visible at the project, inventory, and component-version levels. The count reduction is evident on the project dashboard and on the Vulnerabilities bar graph in the Web UI, as well as in subsequently generated API responses and reports (Project and Audit). Likewise, the actual vulnerability is no longer visible in the list of vulnerabilities on the Security Vulnerabilities window (that is opened when you click the graph) or in API responses or reports.
Note:The Vulnerabilities graph in the UI is shown on the Inventory view, in the Lookup Component window for a specific component version, and in Inventory Details for a given inventory item (both on the Project Inventory tab and in the Analysis Workbench).
The following describes the impact that a security vulnerability suppressed for a specific component version has on other features of Code Insight:
| • | Advanced Search on the Project Inventory tab and Inventory View—When a inventory search is based the vulnerability name or severity, the results do not show inventory items that are related to the suppressed vulnerability. |
| • | Alerts—Any open alerts for the suppressed vulnerability are automatically closed, and the open and closed alert counts are adjusted on the Project Inventory tab, in the Analysis Workbench, and on the Inventory view. |
| • | Policies—Once a security vulnerability is suppressed, no changes are initially made to those review policies based on vulnerabilities. However, each time one of these policies is triggered thereafter (that is, when an inventory item is published), the policy ignores the suppressed vulnerability when making a decision whether to automatically approve or reject the published inventory item. (A change in policy due to the suppression of a vulnerability does not change the existing approval/rejection status of an inventory item unless the item is manually recalled and then republished.) |
| • | Subsequent scans—Once a vulnerability is suppressed, it is not reflected in the results of subsequent scans, whether incremental or full. |