Merge branch 'schwartz-vulnerability-vs-finding-terminology' into 'master'

Update terms for clarity See merge request gitlab-org/gitlab!60863

Merge branch 'schwartz-vulnerability-vs-finding-terminology' into 'master'
Update terms for clarity See merge request gitlab-org/gitlab!60863
a991081e · Russell Dickenson · f07f3af5 · 12e4b788 · a991081e
Commit a991081e authored May 14, 2021 by Russell Dickenson
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

doc/user/application_security/terminology/index.md doc/user/application_security/terminology/index.md +4 -0

No files found.
--- a/doc/user/application_security/terminology/index.md
+++ b/doc/user/application_security/terminology/index.md
@@ -78,6 +78,8 @@ An asset that has the potential to be vulnerable, identified in a project by an
 include but are not restricted to source code, binary packages, containers, dependencies, networks,
 applications, and infrastructure.

+Findings are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a [vulnerability](#vulnerability).
+
 ### Insignificant finding

 A legitimate finding that a particular customer doesn't care about.
@@ -153,6 +155,8 @@ A flaw that has a negative impact on the security of its environment. Vulnerabil
 error or weakness, and don't describe where the error is located (see [finding](#finding)).
 Each vulnerability maps to a unique finding.

+Vulnerabilities exist in the default branch. Findings (see [finding](#finding)) are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a vulnerability.
+
 ### Vulnerability finding

 When a [report finding](#report-finding) is stored to the database, it becomes a vulnerability