Dependency-Track logo Dependency-Track

When triaging results, an analysis decision can be made for each finding. The following states are supported:

State Description
EXPLOITABLE The finding is exploitable (or likely exploitable)
IN_TRIAGE An investigation is in progress to determine if the finding is accurate and affects the project or component
FALSE_POSITIVE The finding was identified through faulty logic or data (i.e. misidentified component or incorrect vulnerability intelligence)
NOT_AFFECTED The finding is a true positive, but the project is not affected by the vulnerability identified
NOT_SET Analysis of the finding has not commenced

Audit history is maintained for every finding including changes to analysis states. The user making the change along with a timestamp the change occurred is appended to the audit trail.