Skip to main content

Examples of Waiver Scoping

Imagine that your application has a component called 'example' which has a reported vulnerability CVE-20XX-1000 with a CVS of 10. There's a policy called Security-Critical with one constraint, and that constraint has one condition that reads "Security Vulnerability Severity greater than or equals 9."

Review the table below to see how the various scoping options would affect a waiver.

Scope Field Selection

Component Field Selection

Waiver Expiration Selection

Results

Application

example: example-component 1:12

7 Days

The Security-Critical policy violation is waived for example: example-component 1:12 in this application. No other components are affected.

The waiver will expire after 7 days.

Application

example: example-component (all versions)

7 Days

The Security-Critical policy violation is waived for example: example-component all versions (past, present, future) in this application. No other components are affected.

The waiver will expire after 7 days.

Organization

example: example-component 1:12

7 Days

The Security-Critical policy violation is waived for example: example-component 1:12 for every application in this Organization. No other components are affected.

The waiver will expire after 7 days.

Organization

example: example-component (all versions)

7 Days

The Security-Critical policy violation is waived for example: example-component all versions (past, present, future) for every application in this Organization. No other components are affected.

The waiver will expire after 7 days.

Root Organization

example: example-component 1:12

7 Days

The Security-Critical policy violation is waived for example: example-component 1:12 for every application known to the IQ Server. No other components are affected.

The waiver will expire after 7 days.

Root Organization

example: example-component (all versions)

7 Days

The Security-Critical policy violation is waived for example: example-component all versions (past, present, future) for every application known to the IQ Server. No other components are affected.

The waiver will expire after 7 days.

Application

All Components

7 Days

The Security-Critical policy violation is waived for every component in this application.

The waiver will expire after 7 days.

Organization

All Components

7 Days

The Security-Critical policy violation is waived for every component for every application in this Organization.

The waiver will expire after 7 days.

Root Organization

All Components

7 Days

The Security-Critical policy violation is waived for every component for every application known to the IQ Server.

The waiver will expire after 7 days.

Application

example: example-component 1:12

Never

The Security-Critical policy violation is waived for example: example-component 1:12 in this application. No other components are affected.

The waiver will never expire, and will only stop applying if it's manually deleted.