During a scan, the scanner finds vulnerabilities within the target’s URLs. When the scanner finds a vulnerability, a finding is created. The finding’s state can change either automatically (by the scanner, as a result of a scan or re-test) or manually (by means of the user’s actions).
A finding can have the following states:
Not fixed - a vulnerability was found and is waiting to be fixed. This state is not controlled by the user; as long as a scan or re-test finds the vulnerability, the finding will be set as Not fixed.
Invalid - the vulnerability was marked as invalid. This state is a result of a user action; you can use it to report a False Positive.
Accepted risk - the vulnerability was marked as accepted risk. This state is a result of a user action; this can be used to identify vulnerabilities that the user doesn’t consider in need of being fixed.
Fixed - a previously existing vulnerability couldn’t be found while running a subsequent scan using the same profile (or a broader one), thus it has been marked as fixed; this state is not user controlled.
Re-testing - a previously existing vulnerability is being re-tested. This state is a result of a user action and can lead to either a Fixed vulnerability (if the scanner isn’t able to replicate the vulnerability during the re-test) or Not fixed vulnerability (if the scanner is able to find it again during the re-test).
In sum, Invalid, Accepted risk and Re-testing are states controlled by the user, while Fixed and Not fixed are states set by the scanner.