Clearing Policy Violations - Waiving vs. Claiming vs. Status

 
 
Q. If you receive a policy violation on a component and you've determined you want to clear it from the report, is it better to mark it as not applicable, waive the violation, resolve it by changing the status.
 
A. If you are trying to clear a single security violation from a report then the best course of action is to change it's status. For example, for a security violation you can mark it as "not applicable" in the details view.
 
If you want to disable all future violations of the policy for a component then you should either waive or claim.
 
To disable a specific policy for a component for all current and future violations, make sure the component match is either exact or similar and then waive the violation. 
 
To disable all policy violations for a component (current and future) you should claim it.  Claiming is intended to be used in cases where a component isn't in our data and you know the component is your own. If you claim a component you won't get any further information on it from our data, because you are saying you know what it is, and you are the source of information for that component.
 
If the component match is "unkown" and you've determined that you have the best source of information for it then you should claim it. Once you've claimed a component you own it, and you're responsible for maintaining the information on it.
 
Status changes, waivers and claims apply only to the exact policy and component (as matched by checksum) where they are applied.
 
There are options to apply a policy waiver to "All components" or "All applications" in an organization, but these options are not encouraged. When you want to use these options, it usually means that adjusting your policy rules are a better option.
 
Update - Nexus IQ Server Versions 53 and Later
 
Nexus IQ Server version 53 introduced fine grained waivers.  Fine grained waivers allow you to waive a specific violation for a component.  Other violations of the same policy for a component will remain, and new violations of the policy for the component will show up in the future.
 
However, note that marking a vulnerability as "not applicable" silences it regardless of any change to its severity. A waiver on the other hand will stop only the specific violation.  So if you waive a "security medium", for example, you can get a new violation if the vulnerabilities score later changes so it violates "security high". So using a waiver can cause violation noise vs. using "not applicable".
 
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk