diff --git a/ee/lib/ee/gitlab/import_export/project/relation_factory.rb b/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
index 2c8cfa8e3a9635c91fb87adcbbf976ccf8047f42..b40ce9651f3f2ac6b75e9e6a6506cf8a7f1f4c3a 100644
--- a/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
+++ b/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
@@ -20,6 +20,7 @@ module RelationFactory
             vulnerability_finding: 'Vulnerabilities::Finding',
             scanner: 'Vulnerabilities::Scanner',
             primary_identifier: 'Vulnerabilities::Identifier',
+            identifiers: 'Vulnerabilities::Identifier',
             initial_finding_pipeline: 'Ci::Pipeline',
             latest_finding_pipeline: 'Ci::Pipeline',
             vulnerability_read: 'Vulnerabilities::Read'
@@ -96,7 +97,7 @@ def generate_imported_object
           def setup_vulnerability_finding
             relation_hash['uuid'] = ::Security::VulnerabilityUUID.generate(
               report_type: relation_hash['report_type'],
-              primary_identifier_fingerprint: "",
+              primary_identifier_fingerprint: relation_hash['primary_identifier_fingerprint'],
               location_fingerprint: relation_hash['location_fingerprint'],
               project_id: relation_hash['project_id']
             )
diff --git a/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb b/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
index 776f4aec65fa4b1cc1360d76ea644a5ccb0255e5..9f88bf2373b7b4d87acc8617bcf7d50b74105656 100644
--- a/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
@@ -442,6 +442,17 @@
       expect(finding.metadata_version).to eq('15.1.4')
       expect(finding.raw_metadata).to include('Regular expression with non-literal value')
     end
+
+    it 'restores vulnerability identifiers' do
+      vulnerability = @project.vulnerabilities.find_by(title: 'Regular expression with non-literal value')
+      identifier = vulnerability.identifiers.first
+
+      expect(vulnerability.identifiers.count).to eq(5)
+      expect(identifier.name).to eq('eslint.detect-non-literal-regexp')
+      expect(identifier.external_type).to eq('semgrep_id')
+      expect(identifier.external_id).to eq('eslint.detect-non-literal-regexp')
+      expect(identifier.fingerprint).to eq('a751f35f1185de7ca5e6c0610c3bca21eb25ac9a')
+    end
   end
   # rubocop:enable RSpec/InstanceVariable
 end
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index 3b9c620c257d1d547d47ef37f9066db839850d29..03ae93eaced3377b470981bd286c73b44e0e3dec 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -1227,6 +1227,7 @@ ee:
         - vulnerability_finding:
           - :scanner
           - :primary_identifier
+          - :identifiers
           - :initial_finding_pipeline
           - :latest_finding_pipeline
         - vulnerability_read:
@@ -1318,6 +1319,7 @@ ee:
       - :project_fingerprint
       - :project_id
       - :location_fingerprint
+      - :primary_identifier_fingerprint
       - :name
       - :report_type
       - :severity
@@ -1329,13 +1331,14 @@ ee:
       - :name
       - :vendor
       - :external_id
-    primary_identifier:
+    identifiers: &identifiers_definition
       - :project_id
       - :external_type
       - :external_id
       - :fingerprint
       - :name
       - :url
+    primary_identifier: *identifiers_definition
     vulnerability_finding:
       - :uuid
       - :project_fingerprint
diff --git a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
index 2f969f7b75d4432035eba034e6ea7bb7dd778462..8b30fd71113dbb00bd527398d03ed307a7216ff1 100644
--- a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
+++ b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
@@ -1,3 +1,3 @@
-{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"4ce7494840bb1882d5a9003b0f272f8e3e22c7a5","location_fingerprint":"4f7a2fffbb791c4cc8d1454db40b80f7fa9ed5be","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"b13b66b99eabefb8bc0d385b90cb952734e246ff3477a8ee563d6d04ef4bded4\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:515:515\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"common/static/ace/ext-language_tools.js\",\"start_line\":515},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"common/static/ace/ext-language_tools.js\",\"line_start\":515,\"line_end\":515,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"common/static/ace/ext-language_tools.js|func[0]:498\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa74cb01-2544-5d42-b9e8-0150119bf6cb","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
-{"project_id":5,"author_id":1,"title":"Incorrect regular expression","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"46e1dffeb673fa9e3de7343653b84dd9826e7312","location_fingerprint":"f866afbfc47ac0fae0da7c6df8e5ed35330e4384","name":"Incorrect regular expression","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"0152dfdd49aa1b9636cd267c12d080250199f15f21f427d3bed1a07a002e011f\",\"category\":\"sast\",\"name\":\"Incorrect regular expression\",\"description\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\\n\",\"cve\":\"semgrep_id:nodejs_scan.javascript-dos-rule-regex_dos:1050:1052\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"start_line\":1050,\"end_line\":1052},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"nodejs_scan.javascript-dos-rule-regex_dos\",\"value\":\"nodejs_scan.javascript-dos-rule-regex_dos\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A05:2021 - Security Misconfiguration\",\"value\":\"A05:2021\"},{\"type\":\"owasp\",\"name\":\"A6:2017 - Security Misconfiguration\",\"value\":\"A6:2017\"},{\"type\":\"njsscan_rule_type\",\"name\":\"NodeJS Scan ID javascript-dos-rule-regex_dos\",\"value\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"line_start\":1050,\"line_end\":1050,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js|func($, undefined)[0]:1034\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa2589df-c1ad-5108-93f0-90237b17c1b1","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
-{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"ea561c323d8e5e87040ad59ca2b926f2b005255c","location_fingerprint":"708aa3150b2b448e6894dd447689336d0ce63f19","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"f8c645cd515f94924c9a8fe73cc3e2bcf08b90ee9936462b6da57b6c28b52803\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:1108:1108\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"start_line\":1108},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"line_start\":1108,\"line_end\":1108,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js|func($, undefined)[0]|getNumber[0]:4\"}]}]}}","detection_method":"gitlab_security_report","uuid":"f72b22e4-1e01-5c53-95a5-5e3a1e2f2b16","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"4ce7494840bb1882d5a9003b0f272f8e3e22c7a5","location_fingerprint":"4f7a2fffbb791c4cc8d1454db40b80f7fa9ed5be","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"b13b66b99eabefb8bc0d385b90cb952734e246ff3477a8ee563d6d04ef4bded4\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:515:515\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"common/static/ace/ext-language_tools.js\",\"start_line\":515},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"common/static/ace/ext-language_tools.js\",\"line_start\":515,\"line_end\":515,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"common/static/ace/ext-language_tools.js|func[0]:498\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa74cb01-2544-5d42-b9e8-0150119bf6cb","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"identifiers":[{"project_id":5,"fingerprint":"08de3511f2132da4d24f1b8b1d3ca14368a0259b","external_type":"owasp","external_id":"A1:2017","name":"A1:2017 - Injection","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"a15f44ab746431d58b21b4fc67d8c4d3fb160ca0","external_type":"eslint_rule_id","external_id":"detect-non-literal-regexp","name":"ESLint rule ID/detect-non-literal-regexp","url":null},{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},{"project_id":5,"fingerprint":"a8e828eea3aba35916401da9304619f0a218119b","external_type":"owasp","external_id":"A03:2021","name":"A03:2021 - Injection","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Incorrect regular expression","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"46e1dffeb673fa9e3de7343653b84dd9826e7312","location_fingerprint":"f866afbfc47ac0fae0da7c6df8e5ed35330e4384","name":"Incorrect regular expression","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"0152dfdd49aa1b9636cd267c12d080250199f15f21f427d3bed1a07a002e011f\",\"category\":\"sast\",\"name\":\"Incorrect regular expression\",\"description\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\\n\",\"cve\":\"semgrep_id:nodejs_scan.javascript-dos-rule-regex_dos:1050:1052\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"start_line\":1050,\"end_line\":1052},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"nodejs_scan.javascript-dos-rule-regex_dos\",\"value\":\"nodejs_scan.javascript-dos-rule-regex_dos\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A05:2021 - Security Misconfiguration\",\"value\":\"A05:2021\"},{\"type\":\"owasp\",\"name\":\"A6:2017 - Security Misconfiguration\",\"value\":\"A6:2017\"},{\"type\":\"njsscan_rule_type\",\"name\":\"NodeJS Scan ID javascript-dos-rule-regex_dos\",\"value\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"line_start\":1050,\"line_end\":1050,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js|func($, undefined)[0]:1034\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa2589df-c1ad-5108-93f0-90237b17c1b1","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null},"identifiers":[{"project_id":5,"fingerprint":"2bd02e525f0e78f8745e5a063ca1b5f396527a41","external_type":"owasp","external_id":"A6:2017","name":"A6:2017 - Security Misconfiguration","url":null},{"project_id":5,"fingerprint":"3f2c4e94cf8c0b53c44cb5b187963b753da9e882","external_type":"owasp","external_id":"A05:2021","name":"A05:2021 - Security Misconfiguration","url":null},{"project_id":5,"fingerprint":"518290ee3e47f4a5bba33213ca8a82e4c0d8697d","external_type":"njsscan_rule_type","external_id":"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.","name":"NodeJS Scan ID javascript-dos-rule-regex_dos","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"ea561c323d8e5e87040ad59ca2b926f2b005255c","location_fingerprint":"708aa3150b2b448e6894dd447689336d0ce63f19","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"f8c645cd515f94924c9a8fe73cc3e2bcf08b90ee9936462b6da57b6c28b52803\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:1108:1108\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"start_line\":1108},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"line_start\":1108,\"line_end\":1108,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js|func($, undefined)[0]|getNumber[0]:4\"}]}]}}","detection_method":"gitlab_security_report","uuid":"f72b22e4-1e01-5c53-95a5-5e3a1e2f2b16","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"identifiers":[{"project_id":5,"fingerprint":"08de3511f2132da4d24f1b8b1d3ca14368a0259b","external_type":"owasp","external_id":"A1:2017","name":"A1:2017 - Injection","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"a15f44ab746431d58b21b4fc67d8c4d3fb160ca0","external_type":"eslint_rule_id","external_id":"detect-non-literal-regexp","name":"ESLint rule ID/detect-non-literal-regexp","url":null},{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},{"project_id":5,"fingerprint":"a8e828eea3aba35916401da9304619f0a218119b","external_type":"owasp","external_id":"A03:2021","name":"A03:2021 - Injection","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index 8e1bccf92a16b8dfceadfacb7347fe2f8cbce570..ef0808757901a53215a0198269b795653bc2c825 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -1214,10 +1214,11 @@ vulnerability_finding:
 scanner:
   - findings
   - security_findings
-primary_identifier:
+identifiers: &identifiers_definition
   - finding_identifiers
   - findings
   - primary_findings
+primary_identifier: *identifiers_definition
 initial_finding_pipeline: *pipeline_definition
 latest_finding_pipeline: *pipeline_definition
 vulnerability_read: