This article is intended to give the user an overview of what each of the statuses of a vulnerability could be within Nucleus.
Each status is intended to represent a specific stage of the vulnerability management workflow so that users can manage and track vulnerabilities through the entire workflow. These statuses can show up on either the "Active Vulnerability List" or the "Mitigated Vulnerability List".
The statuses within Nucleus can be assigned manually, or via the scans which are imported. Nucleus has the ability to map statuses from certain consoles to Nucleus statuses. For example, if in Snyk a user marks a finding as a false positive, that status will carry over into Nucleus and that finding will be marked as a false positive in Nucleus as well.
The findings that Nucleus contains are as follows:
Active - This is the default value of a vulnerability in Nucleus. All findings which are found by scanners are considered active. Active means that the vulnerability is present
False Positive - This is the status that is meant to report that a specific vulnerability is a false positive. Scanners may mark something as a vulnerability that isn't and is intended to remove the vulnerability from the active vulnerability list. Vulnerabilities marked as false positives will move to the mitigated list, where a user can click on the finding and review its details. In the event that the user accidentally marked the finding as a false positive, the user can change the status of the vulnerability back to active from the mitigated list.
Fixed - This status is intended to give a view to the vulnerability manager that a finding has been marked as fixed, but it needs to be confirmed by a vulnerability scanner. This status works really well for network security type vulnerabilities which can easily be detected by a network scanner. Example, Disabling SSLv2, and 3. Once it is complete, the sysadmin marks the vulnerability as fixed, but it is not officially mitigated until it is confirmed by a vulnerability scan.
Mitigated - This status is similar to "Fixed", but does not need to be validated by a scan. Generally this status should be accompanied by some sort of comment or evidence that the vulnerability has been mitigated as it does not need to be validated by the scanner to be considered fully mitigated. Think of this status as "Fixed - Confirmed Manually", but can also apply to other mitigations, such as when a compensating control is in place to mitigate the effects of a specific vulnerability, which can be noted in the comments and evidence section.
In-Progress - This status is meant to denote vulnerabilities that are in the process of being fixed. This is a similar concept to using a board in development, which can give a vulnerability manager insight into which tasks are in progress at a quick glance.
Waiting for Verification - This status is generally used when validating the vulnerability has been tasked via a ticket to somebody else. This status implies that someone is working on it and we are waiting to see if it is a true vulnerability or not.
Waiting for 3rd Party - This status is similar to "Waiting for Verification", but it is a status meant to denote when a 3rd party is involved and we are waiting on them. An example would be we found a vulnerability in an MSP-managed system, and we have told them about it, but we are waiting for their confirmation it has been fixed.
Accepted Risk - This status is intended to mark when the risk associated with a vulnerability has not met the threshold for the business risk, or the vulnerability is valid, but the business has accepted the risk associated with it.
Duplicate - Occasionally vulnerability scanners will find the same vulnerabilities, and Nucleus allows the user to mark findings as duplicates, which is a status that shows the user that this vulnerability is being tracked elsewhere.
Partially Mitigated - This status shows that some of the assets for this vulnerability have been manually marked as mitigated, but there are still active vulnerabilities present. This commonly occurs when you mark a single asset as a False Positive but there are other assets affected by that vulnerability.
The following are only relevant to the Mitigated Page:
Mitigated Via Scan - The vulnerability was mitigated via a scan ingest, so Nucleus automatically marked this vulnerability as mitigated without user interaction.
Partially Scan Mitigated - This status reflects that some of the assets were mitigated via a scan ingest, but some of the assets are still actively affected by the vulnerability. So this finding will show up as Active in the "Active" page, and as "Partially Scan Mitigated" on the Mitigated Page.