Application Vulnerable Item fields
-
- UpdatedFeb 1, 2024
- 3 minutes to read
- Washington DC
- Application Vulnerability Response
Application vulnerable items (AVITs) are automatically created during third-part vulnerability integration imports.
Application vulnerable item fields
Except for the Assignment group, Assigned to fields and Notes, all other fields in the AVIT are read-only.
| Field | Description |
|---|---|
| Number | Automatically generated AVIT identifier for this record. |
| Scan type | Type of scanner that found this AVIT. Choices are:
|
| Risk rating | Quantified Risk Score separating vulnerable items into Critical, High, Medium, Low, and None. For more information on risk ratings, see, Calculate risk in Application Vulnerability Response automatically. |
| Risk score | Calculated amount of risk the AVI poses to your environment. For more information, see Calculate risk in Application Vulnerability Response automatically. |
| Remediation commitment date | The date AVITs should be remediated after it is moved into Under Investigation. This field only appears if the AVIT is in Under Investigation. |
| Remediation target | Date by which the AVITs should be remediated, since first identified. Only appears when applicable. For more information on remediation targets, see Automate remediation target tracking in Application Vulnerability Response. |
| Remediation status | Status of the remediation for the AVIT. It is determined by the AVIT with the nearest due date, when applicable. States include:
|
| Category Name | Name of the category of the vulnerability. |
| Vulnerability | ID of the vulnerability associated with this application vulnerable item. |
| Application release | Version of the application. |
Application module |
Affected application in DAST scan. Hidden for SAST scans. |
| Location Version 14.0: SAST |
DAST: URL location of the vulnerability within the application. SAST: File path and line number of the vulnerability within the application. |
| State | This field defaults to Open when created. See Application Vulnerable Item (AVI) states for more information on how states are mapped. |
| Reason | [Only visible when the AIV is in the Closed state.] Explanation of the State. |
| Assignment group | Group selected to work on this AVIT. Can be manually added or edited by an App-Sec Manager. |
| Assigned to | Individual from the selected assignment group that works on this AVI. Can be manually added or edited by an App-Sec Manager |
| First found | Date the third-party source first found the application vulnerable item. |
| Last found | Date the third-party source last found the application vulnerable item. |
| Closed | [Only visible when the AVIT is in the Closed state.] Date the AVI was closed. |
| Closed by | [Only visible when the AVIT is in the Closed state.] Entity that closed the AVIT. |
| Summary | Imported description of the vulnerability. |
| Findings
Read-only data imported from third-party integration. |
|
| Source AVIT ID | Imported identifier for the source AVIT. |
| Source severity | Imported severity from the source application. |
| Source target fix date | Imported date by which the source expects the AVIT to be remediated. |
| Source mitigation status | Imported mitigation status from the source application. |
| Source remediation status | Imported remediation status from the source application. |
| Source finding status | [Only visible when populated] Imported issue status from the source application. |
| SDLC status | Imported Software Development Life Cycle status. |
| Complies with Policy | Imported compliance status. If not status is provided, this field is set to Not Applicable. |
| Source link | URL to the source AVIT. |
| Source notes | Imported notes from the source. |
| Vulnerability summary | Imported summary from the source. |
| Vulnerability explanation | Imported explanation from the source. |
| Recommendation | Imported recommendation from the source. |
| References | Imported references from the source. |
| HTTP Request/Response (only visible for DAST scans) | |
| Source request | HTTP request |
| Source response | HTTP response |
| Notes | |
| Remediation Plan | Details for how the AVITs will be remediated. The plan should be implemented by the Remediation commitment date. This field only appears if the AVIT is in Under Investigation. |
| Additional comments/Work notes | Any relevant information. Select the text box for Work notes to add information. Starting with Vulnerability Response v20.0, you can add work notes in the Notes section for a deferred application vulnerable item. |
- The Age column in the AVIT list displays the duration (format: Days HH:MM:SS) for which an AVIT is active. The Age value is zero for a closed AVIT.
- The Age closed column in the AVIT list displays the duration (format: Days HH:MM:SS) for which an AVI is active before it is closed. For a AVITs, other than in the Closed state, the Age closed value is zero.
For more information on how to customize the calculation of Age and Age closed durations, see the KB1703270 article.