Uploading a vulnerability scan

Upload vulnerability data to the IBM® Concert to prioritize and manage CVEs or non-CVE exposures across your application landscape.

Before you begin

  • (Recommended) Automate ticket creation for prioritized CVEs to automatically create and assign tickets based on CVEs impacting your application environments.
    Note: This automation capability is currently limited to CVEs and is not applicable to non-CVE exposures.
  • You must have a vulnerability scan report file with details about the impacting CVEs or non-CVE exposures. Refer to Supported vulnerability scan formats for details.

Instructions

Refer to the following instructions to upload a vulnerability scan file from the Concert UI.

From the Vulnerability page:
  1. Navigate to Dimensions > Vulnerability.
  2. Click Upload vulnerability scan.
  3. Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
  4. Select the vulnerability scan file from your local directory.
  5. Click Upload.
From the Arena view:
  1. Go to the Arena view.
  2. Click Define and upload > Upload scan > Vulnerability.
  3. Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
  4. Select the vulnerability scan file from your local directory.
  5. Click Upload.

Once processed, you can view the impact of CVEs on your applications and environments from the Arena view or by going to Dimensions > Vulnerabilities.

When you upload a new vulnerability report, the resolved CVEs are archived and appear as Closed in the Concert UI view. The unresolved CVEs must remain the same, and duplicate CVEs are not displayed in the Concert UI.

Note: If Concert identifies a CVE or non-CVE exposure impacting an application component that has been recorded already in your Concert instance, it ignores the duplicate finding. The duplicate will not appear in the list of CVEs or in your Arena view, will not trigger automation rules, and will not negatively impact your risk score.
Note: Access to vulnerabilities is restricted as follows:
  • Vulnerabilities not associated with applications or environments are only accessible to Instance-level Admin users and the user who uploaded the vulnerability.
  • Only vulnerabilities associated with applications or environments are accessible to users with corresponding application and environment-level permissions.
  • Object-level Admin users without application or environment access will not see uploaded data until they gain the access.