Link vulnerabilities to company-specific security knowledge bases
Need
Security teams want to link gitlab vulnerabilities with their own security knowledge bases. This way developers investigating vulnerabilities would be presented with company-specific, security department validated, solutions and recommendations.
Teams who do not yet have such security knowledge bases may also want to build some. As they help dev teams solve vulnerabilities, they may want to capture reproducible solutions and position them on similar vulnerabilities.
Current State
Static analysis scanners do not include a solution field.
Some scanners, for some vulnerabilities, include a description of possible solutions, and even a code snippet sometimes, as part of the description field. See picture below. However this does not cover all vulnerabilities, and they are only generic solutions.
Workaround
Customising rulesets for static scans, one can override the description field. It is possible to include a link, so it is possible to any knowledge base's article, provided it exposes a url.
Example :
Related slack thread (internal).
Shortcomings
This requires scanner-specific rulesets, therefore multiple configurations. It may also clash with existing custom rulesets. Matching between vulnerabilities is done in toml, which is not ideal to maintain.
Proposal
Provide a central way for customers to link their security knowledge base, and configure the matching between vulnerability identifiers and KB entries.