Introduction to False Positive

A false positive is a condition wherein the scanner reports that a vulnerability exists in the system, but in reality there is no vulnerability. There can be multiple reasons like incorrect classification, improper logic or algorithm in the scanner. The remediation owner can mark vulnerable items (VIs) or vulnerability groups (VGs) as false positives.

Life cycle of a false positive

Meaning of false positive

The scanner sometime gives a warning, when in reality there is no vulnerability. For example, if a configuration item has been decommissioned but the scanner is still raising an issue related to it, mark it as a false positive.

Marking as a false positive

For details on marking a VI or VG as a false positive, see Mark as a false positive.

Working with the false positive

Once a VI or VG is marked as a false positive, the state is updated to Closed and the substate is changed to False Positive. The following actions can be performed:

Reopen
Delete
Update the date in the Until field. This date is then used as the expiry date for the false positive.

Note: If not approved, the VI or VG reverts to its previous state.

Approving a false positive

The approver can approve the false positive from their approval workflow.

Reopening a false positive

A VI or VG in a false positive substate can be reopened anytime.

Tracking a false positive

Use the State Change Approvals section to track the status of the false positive. Once approved, the state of the VI or VG is updated to Closed and the reason is False Positive.

Expiry of a false positive

Only the false positive approver can set an Until date for the false positive, for the VI or VG to expire. Also, only false positives for which the approver has provided an Until date can expire. This date can be provided after the false positive is approved.

A false positive without an Until date is a permanent false positive. After the false positive expires, the state of the VI or VG moves back to Open.

False positive approval process

The approval process is automatic if all VIs pass the next scan. The VIs auto-close regardless of the current state. The VIs or, where applicable, the VG State fields change to Closed with the substate Fixed.

Introduction to False Positive

Life cycle of a false positive

Meaning of false positive

Marking as a false positive

For details on marking a VI or VG as a false positive, see Mark as a false positive.

Working with the false positive

Once a VI or VG is marked as a false positive, the state is updated to Closed and the substate is changed to False Positive. The following actions can be performed:

Reopen
Delete
Update the date in the Until field. This date is then used as the expiry date for the false positive.

Note: If not approved, the VI or VG reverts to its previous state.

Approving a false positive

The approver can approve the false positive from their approval workflow.

Reopening a false positive

A VI or VG in a false positive substate can be reopened anytime.

Tracking a false positive

Use the State Change Approvals section to track the status of the false positive. Once approved, the state of the VI or VG is updated to Closed and the reason is False Positive.

Expiry of a false positive

A false positive without an Until date is a permanent false positive. After the false positive expires, the state of the VI or VG moves back to Open.

False positive approval process

How search works:

Topics are ranked in search results by how closely they match your search terms

Introduction to False Positive

Introduction to False Positive

Life cycle of a false positive

On this page

Introduction to False Positive

Introduction to False Positive

Life cycle of a false positive

Log in to personalize your search results and subscribe to topics