Uploading a vulnerability scan

Before you begin

(Recommended) Automate ticket creation for prioritized CVEs to automatically create and assign tickets based on CVEs impacting your application environments.
Note: This automation capability is currently limited to CVEs and is not applicable to non-CVE exposures.
You must have a vulnerability scan report file with details about the impacting CVEs or non-CVE exposures. Refer to Supported vulnerability scan formats for details.

Guidelines for uploading scan files

Follow these guidelines to ensure correct processing and avoid ingestion conflicts:

Upload one scan file at a time.
If the data size for an image or repository is too large, split the data for that specific image or component before uploading.
If your scan file is in JSON format and is larger than ~20 MB, convert it to CSV format before uploading. Large JSON files can cause ingestion or processing failures due to memory limits.
Avoid uploading multiple scan files for the same image with different tags, as this can lead to duplicate or conflicting data.
When uploading scan files with application information, do not process files containing the same CVEs for the same application in parallel.
When uploading scan files without application information (orphan findings), do not process files containing the same CVEs in parallel. Instead, upload them as a multi-file batch or wait for one file’s processing to complete before uploading the next.

Instructions

Refer to the following instructions to upload a vulnerability scan file from the Concert UI.

From the Vulnerability page:

Navigate to Dimensions > Vulnerability.
Click Upload vulnerability scan.
Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
Note: For Vulnerability scan (source code) provide the following details:
- Branch Name (optional): Enter the branch name, if applicable.
- Commit Sha (optional): Enter the CommitSha, if applicable.
- Repository URL: Enter the URL of the repository.
Select the vulnerability scan file from your local directory.
Click Upload.

From the Arena view:

Go to the Arena view.
Click Define and upload > Upload scan > Vulnerability.
Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
Select the vulnerability scan file from your local directory.
Click Upload.

Once processed, you can view the impact of CVEs on your applications and environments from the Arena view or by going to Dimensions > Vulnerabilities.

When you upload a new vulnerability report, the resolved CVEs are archived and appear as Closed in the Concert UI view. The unresolved CVEs must remain the same, and duplicate CVEs are not displayed in the Concert UI.

Note: When uploading vulnerability scan files through the Concert API, you can include the optional metadata fields scanner_name and scan_objects. When the uploaded scan file contains no vulnerabilities, Concert uses these fields to archive all previously detected findings for the specified scan objects.

For more information, see Archiving vulnerabilities from zero-vulnerability scan files.

Duplicate findings

If Concert identifies a CVE or non-CVE exposure impacting an application component that has been recorded already in your Concert instance, it ignores the duplicate finding. The duplicate will not appear in the list of CVEs or in your Arena view, will not trigger automation rules, and will not negatively impact your risk score

Access control

Access to vulnerabilities is restricted as follows:

Vulnerabilities not associated with applications or environments are only accessible to Instance-level Admin users and the user who uploaded the vulnerability.
Only vulnerabilities associated with applications or environments are accessible to users with corresponding application and environment-level permissions.
Object-level Admin users without application or environment access will not see uploaded data until they gain the access.