@@ -173,6 +173,45 @@ Test and Verification:
173173 isImplemented : false
174174 evidence : " "
175175 comments : " "
176+ Artifact-based false positive treatment :
177+ uuid : 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f
178+ risk :
179+ Without artifact-specific false positive handling, teams must repeatedly
180+ triage the same findings across different versions or deployments of the
181+ same component, leading to inefficient use of security resources.
182+ measure : |-
183+ Implement false positive marking and temporary acceptance of findings
184+ based on specific artifacts (applications, components, or repositories).
185+ This allows teams to suppress findings for specific versions or builds
186+ while maintaining visibility for future releases.
187+ description : |-
188+ Artifact-based false positive treatment enables more granular control
189+ over finding suppression by linking decisions to specific code artifacts,
190+ container images, or application versions. This approach helps maintain
191+ security oversight while reducing repeated analysis overhead.
192+ difficultyOfImplementation :
193+ knowledge : 2
194+ time : 2
195+ resources : 2
196+ usefulness : 3
197+ level : 2
198+ dependsOn :
199+ - uuid : c1acc8af-312e-4503-a817-a26220c993a0 # Simple false positive treatment
200+ implementation :
201+ - $ref : src/assets/YAML/default/implementations.yaml#/implementations/owasp-defectdojo
202+ - $ref : src/assets/YAML/default/implementations.yaml#/implementations/purify
203+ - $ref : src/assets/YAML/default/implementations.yaml#/implementations/dependencyTrack
204+ references :
205+ samm2 :
206+ - I-DM-2-A
207+ - I-DM-2-B
208+ iso27001-2017 :
209+ - 16.1.4
210+ - 16.1.6
211+ iso27001-2022 :
212+ - 5.25
213+ - 5.27
214+ tags : ["false-positive", "defect-management"]
176215 Simple visualization of defects :
177216 uuid : 55f4c916-3a34-474d-ad96-9a9f7a4f6a83
178217 risk :
@@ -276,6 +315,47 @@ Test and Verification:
276315 - 5.25
277316 implementation : []
278317 tags : ["vuln-action", "defect-management"]
318+ Global false positive treatment :
319+ uuid : 9e3a7c2f-1b4d-4e8a-a5c6-7f2b9d1e3a8c
320+ risk :
321+ Without centralized false positive management across environments,
322+ organizations face inconsistent security decisions, duplicated analysis
323+ efforts, and potential security gaps when the same findings are handled
324+ differently across applications and teams.
325+ measure : |-
326+ Implement global false positive and acceptance management that applies
327+ consistently across all applications. This enables organization-wide security decisions and reduces redundant
328+ analysis of common false positives.
329+ description : |-
330+ Global false positive treatment allows (security) teams to make
331+ organization-wide decisions about specific vulnerabilities or finding
332+ patterns. When a finding is marked as a false positive or temporarily
333+ accepted at the global level, this decision automatically applies to
334+ all applications in the specified environment, ensuring consistency
335+ and operational efficiency.
336+ difficultyOfImplementation :
337+ knowledge : 3
338+ time : 3
339+ resources : 2
340+ usefulness : 4
341+ level : 3
342+ dependsOn :
343+ - uuid : 8f2b4d5a-3c1e-4b7a-9d8f-2e6c4a1b5d7f # Artifact-based false positive treatment
344+ - uuid : 85ba5623-84be-4219-8892-808837be582d # Usage of a vulnerability management system
345+ implementation :
346+ references :
347+ samm2 :
348+ - I-DM-2-B
349+ - I-DM-3-A
350+ iso27001-2017 :
351+ - 16.1.3
352+ - 16.1.4
353+ - 16.1.6
354+ iso27001-2022 :
355+ - 6.8
356+ - 5.25
357+ - 5.27
358+ tags : ["false-positive", "defect-management"]
279359 Usage of a vulnerability management system :
280360 uuid : 85ba5623-84be-4219-8892-808837be582d
281361 risk :
0 commit comments