Bulk import of vulnerability data
Release notes
Problem to solve
Today, the only way to have vulnerability data in the Security Dashboards is to run a scanner in a pipeline and have it create a vulnerability report artifact as part of this process. We are working on manually creating vulnerability records but this will be insufficient when many records need to be brought in. We lack a scalable way to bring in large amounts of vulnerability data from external sources such as from scanners not in our pipeline, bug bounty program exports, or even as part of a data migration from other tools to an all-GitLab security scanning solution.
While the idea of importing existing records may seem unnecessary given a simple first pass with GitLab's scanners should recreate any vulnerability findings, many organizations may see the benefit of keeping the historical record of dismissed and remediated vulnerabilities in a single system of record. We will also greatly cut down noise if, when migrating from other tools, we can effectively "pre-dismiss" any vulnerabilities there were already reviewed and deemed not needing a fix. Otherwise, our scanners likely will re-detect most or all of these vulnerabilities, requiring duplication of efforts from the Engineering and AppSec teams to evaluate and dismiss all over again.
Intended users
User experience goal
Proposal
Further details
@plafoucriere created a tool for our AppSec team that imports a vulnerability list by creating a pipeline artifact like a scanner would output. We should consider building off his work when adding this functionality.