Mend SCA Statuses

Overview

This document explains the existing statuses in the Dependencies section of the Mend AppSec Platform (Mend SCA).

To enhance vulnerability lifecycle tracking and improve alignment with remediation workflows, Mend SCA introduced several new statuses in version 25.7.1. These enhancements ensure better granularity, improved compatibility with the Legacy SCA application, and stronger visibility into the remediation process.

Mend SCA Statuses

Status	Scope	Description
Unreviewed	Direct Libraries Libraries Findings	Existing status. Indicates a vulnerability (finding) or component (library) has not yet been triaged.
In Review	Direct Libraries Libraries Findings	New status introduced in 25.7.1. Indicates the component is under evaluation. Note: Does not reflect parent-child relationships (e.g., between libraries and findings).
Issue Created	Direct Libraries	New status introduced in 25.7.1. Applied automatically when a Jira issue is created for a direct library.
Remediated	Libraries Findings	New status introduced in 25.7.1. Behaves like `library-removed` in Legacy SCA. Indicates the library or finding is no longer present.
Suppressed	Direct Libraries Libraries Findings	Existing status. Applied when all related components in a sub-tree are suppressed. Remains an aggregated status for root libraries.

Status Mapping: Legacy SCA vs. Mend SCA

Legacy SCA	Mend SCA (AppSec Platform)
`Active`	`Unreviewed`
`Resolved (library removed)`	`Remediated`
`Ignored`	`Suppressed`

Status Behavior Details

Issue Created

Triggered only when a Jira issue is opened for a direct library.
Remains active even if the issue is later deleted (not reversible in this phase).

Remediated

Represents the removal of a library or finding.
Stronger than any other status.
Available for libraries and findings only (not shown for direct libraries unless a vulnerability was directly linked).
If a library reappears in future scans:
** If previously associated with "Issue Created" → revert to Issue Created.
** Else → revert to Unreviewed.

Suppressed

Applied at the root library level only if all sub-tree components are also suppressed.
Stronger than “Issue Created.” When a suppressed component is unsuppressed, it reverts to “Issue Created” if that was the previous state.
For all levels (direct libraries, libraries, findings):
** If suppression is removed → revert to Unreviewed.

In Review

Represents manual triage in progress.
Does not aggregate status across parent-child relationships.

Status Transitions & Rules

Scenario	Resulting Status
Suppress → Unsuppress	`Unreviewed`
Library removed → Reappears in scan	`Issue Created` (if previously assigned), otherwise `Unreviewed`
Suppressed → Library removed → Library returns	`Suppressed`
Suppressed → Unsuppress	`Issue Created` (if assigned), otherwise `Unreviewed`
Library removed (Remediated) → Any previous status	`Remediated` (takes precedence)

Backward Compatibility

To ensure seamless migration and preserve user workflows, status mappings between Legacy SCA and Mend SCA (AppSec Platform) remain fully supported and backward-compatible.