Clarify docs for primary vulnerability identifier

397dd078 · Thiago Figueiró · Nick Gaskill · 53fe3d8d · 397dd078
Commit 397dd078 authored Sep 28, 2020 by Thiago Figueiró Committed by Nick Gaskill Sep 28, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

doc/development/integrations/secure.md doc/development/integrations/secure.md +5 -1

No files found.
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -374,12 +374,16 @@ which is shared by the analyzers that GitLab maintains. You can [contribute](htt
 new generic identifiers to if needed. Analyzers may also produce vendor-specific or product-specific
 identifiers, which don't belong in the [common library](https://gitlab.com/gitlab-org/security-products/analyzers/common).

-The first item of the `identifiers` array is called the primary identifier.
+The first item of the `identifiers` array is called the [primary
+identifier](../../user/application_security/terminology/#primary-identifier).
 The primary identifier is particularly important, because it is used to
 [track vulnerabilities](#tracking-and-merging-vulnerabilities) as new commits are pushed to the repository.
 Identifiers are also used to [merge duplicate vulnerabilities](#tracking-and-merging-vulnerabilities)
 reported for the same commit, except for `CWE` and `WASC`.

+Not all vulnerabilities have CVEs, and a CVE can be identified multiple times. As a result, a CVE
+isn't a stable identifier and you shouldn't assume it as such when tracking vulnerabilities.
+
 ### Location

 The `location` indicates where the vulnerability has been detected.