Question
If a code change has been made to resolve a vulnerability, will the relevant Contrast finding be closed out automatically?
Answer
Unlike SAST and DAST tools, the Contrast agent is continuously monitoring, meaning it doesn't have a defined start and end point. As such, there's a few different means of managing your findings:
Manually:
If the vulnerability is marked as Remediated, the vulnerability is considered closed but could be reopened (and returned to Reported) if rediscovered. If a vulnerability is marked as Fixed, the vulnerability remains closed even if rediscovered and will never be reported again.
For a full list of statuses, please see: Vulnerability - Status
Note: Administrator approval can be configured as a requirement to close vulnerabilities.
Automatically:
Contrast has multiple Auto-verification policies that can be enabled to automate the remediation of vulnerabilities in the Contrast UI:
Time-based auto-verification: This policy uses a Time-based trigger that will auto-verify and close a vulnerability if it has not been detected within the configured timeframe.
This Policy is best enabled in an environment that undergoes testing on a regular schedule.
i.e. If testing occurs on a weekly basis, setting an 8-day Time-based auto-verification policy will auto-remediate all vulnerabilities not detected again in a successive week of testing.
*You can use automated or manual testing with this type of auto-verification.
Session-based auto-verification(Recommended): This policy utilizes metadata values set in the agent configuration to define a session. At the end of a test run, Contrast requires you to make an API call to end the session.
For details on configuring a test run for Session-based auto-verification, please see: Set auto-verification vulnerability policies
*You need an automated test suite for this type of auto-verification.
Route-based auto-verification: This policy utilizes metadata values set in the agent configuration to define a session and a Route-based trigger. The Route-based trigger will close a vulnerability reported on a specific route, when that same route is detected exercised again without the vulnerability. This trigger is available for technologies where Contrast can identify routes.
*You need an automated test suite for this type of auto-verification.
For details auto-verification policies, please see: Vulnerability management policies
2-Way Bugtracker Integration:
One can also use a bug tracker integration such as our two-way JIRA or VSTS/TFS integration where the user can manually or automatically push the vulnerability to the bugtracker. In this scenario, when the developer fixes the vulnerability and closes the ticket in the bugtracker, the vulnerability in the Contrast UI is automatically marked as Remediated.
You can find more information on configuring JIRA and VSTS/TFS for bugtracking here: Contrast UI Integrations