summaryrefslogtreecommitdiff
path: root/doc/development/integrations/secure.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/integrations/secure.md')
-rw-r--r--doc/development/integrations/secure.md9
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index dcfd0f40bf0..1094074cab6 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -374,12 +374,19 @@ which is shared by the analyzers that GitLab maintains. You can [contribute](htt
new generic identifiers to if needed. Analyzers may also produce vendor-specific or product-specific
identifiers, which don't belong in the [common library](https://gitlab.com/gitlab-org/security-products/analyzers/common).
-The first item of the `identifiers` array is called the primary identifier.
+The first item of the `identifiers` array is called the [primary
+identifier](../../user/application_security/terminology/#primary-identifier).
The primary identifier is particularly important, because it is used to
[track vulnerabilities](#tracking-and-merging-vulnerabilities) as new commits are pushed to the repository.
Identifiers are also used to [merge duplicate vulnerabilities](#tracking-and-merging-vulnerabilities)
reported for the same commit, except for `CWE` and `WASC`.
+Not all vulnerabilities have CVEs, and a CVE can be identified multiple times. As a result, a CVE
+isn't a stable identifier and you shouldn't assume it as such when tracking vulnerabilities.
+
+The maximum number of identifiers for a vulnerability is set as 20. If a vulnerability has more than 20 identifiers,
+the system will save only the first 20 of them.
+
### Location
The `location` indicates where the vulnerability has been detected.