Question
If a code change has been made to resolve a vulnerability, will the relevant Contrast finding be closed out automatically?
Answer
Unlike SAST and DAST tools, the Contrast agent is continuously monitoring, meaning it doesn't have a defined start and end point. As such, there's a few different means of managing your findings:
Manually:
If the vulnerability is marked as Remediated, the vulnerability is considered closed but could be reopened (and returned to Reported) if rediscovered. If a vulnerability is marked as Fixed, the vulnerability remains closed even if rediscovered and will never be reported again - this can only be set by Administrators.
For a full list of statuses, please see: Vulnerability - Status
Automatically:
If you run a series of tests against your application on a regular schedule, it's possible to define a Remediation Policy. This allows you to specify that, if a vulnerability isn't seen within a certain timeframe, it should be automatically remediated. For example, if you run regularly scheduled tests on a weekly basis, if a finding isn't seen for 8 days, it means that it wasn't detected during the last run of tests and will therefore be auto-remediated.
For details on creating a Remediation Policy, please see: Policy Management - Remediation Policy
2-Way Bugtracker Integration:
One can also use a bug tracker integration such as our two-way JIRA or VSTS/TFS integration where the user can manually or automatically push the vulnerability to the bugtracker. In this scenario, when the developer fixes the vulnerability and closes the ticket in the bugtracker, the vulnerability in the Contrast UI is automatically marked as Remediated.
You can find more information on configuring JIRA and VSTS/TFS for bugtracking here: Contrast UI Integrations