@@ -78,6 +78,8 @@ An asset that has the potential to be vulnerable, identified in a project by an
...
@@ -78,6 +78,8 @@ An asset that has the potential to be vulnerable, identified in a project by an
include but are not restricted to source code, binary packages, containers, dependencies, networks,
include but are not restricted to source code, binary packages, containers, dependencies, networks,
applications, and infrastructure.
applications, and infrastructure.
Findings are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a [vulnerability](#vulnerability).
### Insignificant finding
### Insignificant finding
A legitimate finding that a particular customer doesn't care about.
A legitimate finding that a particular customer doesn't care about.
...
@@ -153,6 +155,8 @@ A flaw that has a negative impact on the security of its environment. Vulnerabil
...
@@ -153,6 +155,8 @@ A flaw that has a negative impact on the security of its environment. Vulnerabil
error or weakness, and don't describe where the error is located (see [finding](#finding)).
error or weakness, and don't describe where the error is located (see [finding](#finding)).
Each vulnerability maps to a unique finding.
Each vulnerability maps to a unique finding.
Vulnerabilities exist in the default branch. Findings (see [finding](#finding)) are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a vulnerability.
### Vulnerability finding
### Vulnerability finding
When a [report finding](#report-finding) is stored to the database, it becomes a vulnerability
When a [report finding](#report-finding) is stored to the database, it becomes a vulnerability
