Question
If you receive a policy violation on a component and you've determined you want to clear/remediate it from the report, is it better to mark it as not applicable, waive the violation, or resolve it by changing the status?
Answer
If you are trying to clear a single security violation from a report then the best course of action is to change its status. For example, for a security violation, you can mark it as "not applicable" in the details view.
If you want to disable all future violations of the policy for a component then you should either waive or claim.
To disable a specific policy for a component for all current and future violations, make sure the component match is either exact or similar and then waive the violation.
To disable all policy violations for a component (current and future) you should claim it. Claiming is intended to be used in cases where a component isn't in our data and you know the component is your own. If you claim a component you won't get any further information on it from our data, because you are saying you know what it is, and you are the source of information for that component.
If the component match is "unknown" and you've determined that you have the best source of information for it then you should claim it. Once you've claimed a component you own it, and you're responsible for maintaining the information on it.
Status changes, waivers, and claims apply only to the exact policy and component (as matched by the checksum) where they are applied.
There are options to apply a policy waiver to "All components" or "All applications" in an organization, but these options are not encouraged. When you want to use these options, it usually means that adjusting your policy rules is a better option. Review the options of Wavier Scoping and determine which one is best suited for your application.
However, note that marking a vulnerability as "not applicable" silences it regardless of any change to its severity. A waiver on the other hand will stop only the specific violation. So if you waive a "security medium", for example, you can get a new violation if the vulnerabilities score later changes so it violates "security high".