Automated Waivers
The Automated Waivers feature offers the capability to automatically manage waivers for security policy violations that have no path forward.
A policy violation is considered to have no path forward, if there are no safe versions of the component available.
Policy Violations that are auto-waived will not appear in subsequent application evaluation reports, allowing the development teams to focus on the policy violations that are more actionable.
Automated Waivers also save time by eliminating the redundant task of creating waivers for no path forward security policy violations.
Configure Automated Waivers for Lifecycle
You can enable or disable Automated Waivers at the application, organization, or root organization level.
Configuration options include:
The maximum threat level of the policy violation for which automated waivers will be applied.
The eligibility of the policy violations for which automated waivers will be applied.
For example, a policy violation is considered eligible for applying automated waivers if no upgrade path (no newer, non-violating version of the component) is available.
To enable Automated Waivers for an application or organization:
Navigate to Orgs and Policies in the left navigation bar and click on the Waivers option on the top right scroll bar.
Click on the Automated Waivers are disabled row under the Waivers section, to go to the configuration page.
Select the Max. Threat Level and Scope for which you want to configure Automated Waivers.
When configured, an Automated Waiver will be applied if the policy violation meets the configuration criteria specified.
A re-evaluation (or new evaluation) of the application will be required, after enabling Automated Waivers, for the automated waivers to be applied to the policy violations.
To disable Automated Waivers for an application or organization:
Uncheck the No Upgrade Path check box.
Click on the Delete Auto Waiver button.
Exclusion Log
The Exclusion Log on the Automated Waivers configuration page contains a list of exclusions that were applied to Automated Waivers. Learn more about Exclusion of Automated Waivers.
Working with Automated Waivers
Applications should be evaluation (or re-evaluated) after Automated Waivers have been enabled. The application report generated, will show the policy violations that are Auto-Waived.
Click on the policy violation with the Auto tag to view the component details page.
Click on the Policy Violations tab on the top of the component details page. The policy violation to which the automated waiver is applied will be indicated by the Auto tag.
Click on the policy violation with the Auto tag to view the security violation details. Navigate to the Applicable Waivers tab. The Auto tag under the Expiration section indicates that the applicable waiver is an automated waiver.
Automated Waivers do not expire.
If the eligibility conditions for applying the automated waivers are no longer satisfied, the policy violation will no longer be auto-waived, after subsequent evaluations.
Exclusion of Automated Waivers
If you no longer want a policy violation to be automatically waived, you can exclude or remove the Automated Waiver by clicking on the Remove auto-waiver for this policy violation setting.
If an Automated Waiver is removed from a policy violation, it will not be applied to the exact same violation, after subsequent re-evaluations. To apply a waiver on such violations, follow the process to apply waivers manually, or use the Exclusion Log to re-enable the Automated Waiver.
To view all excluded/removed Automated Waivers at the policy violation level, navigate to the Exclusion Log in the Configure Automated Waivers section of Lifecycle.
Delete Exclusion
The Exclusion Log in the Configure Automated Waivers section in Lifecycle, contains a list of all policy violations to which automated waivers were applied, but were excluded or removed manually.
To re-enable Automated Waivers on the policy violation, navigate to the Exclusion Log. Click on the delete icon in the row corresponding to the policy violation in the list.
Click Continue to re-enable the Automated Waiver for the selected policy violation. An Automated Waiver will be applied after the next re-evaluation.
Policy Re-evaluation Options
We recommend using the most recent evaluation report. Re-evaluating application reports allows you to keep your applications updated with the most recent component upgrade recommendations.
A full Re-evaluate will:
apply automated waivers to security policy violations (as configured).
remove automated waivers if a safe component is available for the remediation of the policy violation.
Re-evaluating applications that have automated waivers can cause longer evaluation times. You can skip the re-evaluation of automated waivers by clicking on the Quick Re-evaluate button.
A Quick Re-evaluate will skip the re-evaluation of automated waivers and :
Not apply automated waivers to newer policy violations .
Not remove existing automated waivers from policy violations, even if a safe component is available for upgrade.
Enabling Automated Waivers Feature
The introductory release of this feature (Release 186) requires users to enable it. Refer to Feature Configuration REST API for details on enabling the Automated Waivers feature for your instance of Lifecycle.