Uploading a vulnerability scan

Upload vulnerability data to the IBM® Concert to prioritize and manage CVEs or non-CVE exposures across your application landscape.

Before you begin

  • (Recommended) Automate ticket creation for prioritized CVEs to automatically create and assign tickets based on CVEs impacting your application environments.
    Note: This automation capability is currently limited to CVEs and is not applicable to non-CVE exposures.
  • You must have a vulnerability scan report file with details about the impacting CVEs or non-CVE exposures. Refer to Supported vulnerability scan formats for details.
Note: When uploading vulnerability scan files, consider the following guidelines:
  • Upload one scan file at a time to ensure correct processing and reduce errors or conflicts.
  • If the data size for an image or repository is too large, you can split the data for that specific image/component to prevent issues with uploading and processing.
  • Avoid uploading multiple scan files for the same image with different tags, as this can lead to duplicate or conflicting data.

Instructions

Refer to the following instructions to upload a vulnerability scan file from the Concert UI.

From the Vulnerability page:
  1. Navigate to Dimensions > Vulnerability.
  2. Click Upload vulnerability scan.
  3. Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
    Note: For Vulnerability scan (source code) provide the following details:
    • Branch Name (optional): Enter the branch name, if applicable.
    • Commit Sha (optional): Enter the CommitSha, if applicable.
    • Repository URL: Enter the URL of the repository.
  4. Select the vulnerability scan file from your local directory.
  5. Click Upload.
From the Arena view:
  1. Go to the Arena view.
  2. Click Define and upload > Upload scan > Vulnerability.
  3. Select the vulnerability scan File type and Scan source. Refer to the Supported vulnerability scan formats for details.
  4. Select the vulnerability scan file from your local directory.
  5. Click Upload.

Once processed, you can view the impact of CVEs on your applications and environments from the Arena view or by going to Dimensions > Vulnerabilities.

When you upload a new vulnerability report, the resolved CVEs are archived and appear as Closed in the Concert UI view. The unresolved CVEs must remain the same, and duplicate CVEs are not displayed in the Concert UI.

Note: If Concert identifies a CVE or non-CVE exposure impacting an application component that has been recorded already in your Concert instance, it ignores the duplicate finding. The duplicate will not appear in the list of CVEs or in your Arena view, will not trigger automation rules, and will not negatively impact your risk score.
Note: Access to vulnerabilities is restricted as follows:
  • Vulnerabilities not associated with applications or environments are only accessible to Instance-level Admin users and the user who uploaded the vulnerability.
  • Only vulnerabilities associated with applications or environments are accessible to users with corresponding application and environment-level permissions.
  • Object-level Admin users without application or environment access will not see uploaded data until they gain the access.