diff options
Diffstat (limited to 'doc/development/integrations/secure.md')
-rw-r--r-- | doc/development/integrations/secure.md | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index dcfd0f40bf0..1094074cab6 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -374,12 +374,19 @@ which is shared by the analyzers that GitLab maintains. You can [contribute](htt new generic identifiers to if needed. Analyzers may also produce vendor-specific or product-specific identifiers, which don't belong in the [common library](https://gitlab.com/gitlab-org/security-products/analyzers/common). -The first item of the `identifiers` array is called the primary identifier. +The first item of the `identifiers` array is called the [primary +identifier](../../user/application_security/terminology/#primary-identifier). The primary identifier is particularly important, because it is used to [track vulnerabilities](#tracking-and-merging-vulnerabilities) as new commits are pushed to the repository. Identifiers are also used to [merge duplicate vulnerabilities](#tracking-and-merging-vulnerabilities) reported for the same commit, except for `CWE` and `WASC`. +Not all vulnerabilities have CVEs, and a CVE can be identified multiple times. As a result, a CVE +isn't a stable identifier and you shouldn't assume it as such when tracking vulnerabilities. + +The maximum number of identifiers for a vulnerability is set as 20. If a vulnerability has more than 20 identifiers, +the system will save only the first 20 of them. + ### Location The `location` indicates where the vulnerability has been detected. |