Examples of Waiver Scoping
Imagine that your application has a component called 'example' which has a reported vulnerability CVE-20XX-1000 with a CVS of 10. There's a policy called Security-Critical with one constraint, and that constraint has one condition that reads "Security Vulnerability Severity greater than or equals 9."
Review the table below to see how the various scoping options would affect a waiver.
Scope Field Selection | Component Field Selection | Waiver Expiration Selection | Results |
|---|---|---|---|
Application | example: example-component 1:12 | 7 Days | The Security-Critical policy is waived for example: example-component 1:12 in this application. No other components are affected. The waiver will expire after 7 days. |
Application | example: example-component (all versions) | 7 Days | The Security-Critical policy is waived for example: example-component all versions (past, present, future) in this application. No other components are affected. The waiver will expire after 7 days. |
Organization | example: example-component 1:12 | 7 Days | The Security-Critical policy is waived for example: example-component 1:12 for every application in this Organization. No other components are affected. The waiver will expire after 7 days. |
Organization | example: example-component (all versions) | 7 Days | The Security-Critical policy is waived for example: example-component all versions (past, present, future) for every application in this Organization. No other components are affected. The waiver will expire after 7 days. |
Root Organization | example: example-component 1:12 | 7 Days | The Security-Critical policy is waived for example: example-component 1:12 for every application known to the IQ Server. No other components are affected. The waiver will expire after 7 days. |
Root Organization | example: example-component (all versions) | 7 Days | The Security-Critical policy is waived for example: example-component all versions (past, present, future) for every application known to the IQ Server. No other components are affected. The waiver will expire after 7 days. |
Application | All Components | 7 Days | The Security-Critical policy is waived for every component in this application. The waiver will expire after 7 days. |
Organization | All Components | 7 Days | The Security-Critical policy is waived for every component for every application in this Organization. The waiver will expire after 7 days. |
Root Organization | All Components | 7 Days | The Security-Critical policy is waived for every component for every application known to the IQ Server. The waiver will expire after 7 days. |
Application | example: example-component 1:12 | Never | The Security-Critical policy is waived for example: example-component 1:12 in this application. No other components are affected. The waiver will never expire, and will only stop applying if it's manually deleted. |