From ada2b7ff4c2e5b61eba39c5db02078371cb57aff Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Tue, 31 Dec 2024 12:41:47 +0000
Subject: [PATCH] Direct Transfer - Import Vulnerability identifiers

---
 .../gitlab/import_export/project/relation_factory.rb  |  3 ++-
 .../import_export/project/tree_restorer_spec.rb       | 11 +++++++++++
 lib/gitlab/import_export/project/import_export.yml    |  5 ++++-
 .../complex/tree/project/vulnerabilities.ndjson       |  6 +++---
 spec/lib/gitlab/import_export/all_models.yml          |  3 ++-
 5 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/ee/lib/ee/gitlab/import_export/project/relation_factory.rb b/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
index 2c8cfa8e3a96..b40ce9651f3f 100644
--- a/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
+++ b/ee/lib/ee/gitlab/import_export/project/relation_factory.rb
@@ -20,6 +20,7 @@ module RelationFactory
             vulnerability_finding: 'Vulnerabilities::Finding',
             scanner: 'Vulnerabilities::Scanner',
             primary_identifier: 'Vulnerabilities::Identifier',
+            identifiers: 'Vulnerabilities::Identifier',
             initial_finding_pipeline: 'Ci::Pipeline',
             latest_finding_pipeline: 'Ci::Pipeline',
             vulnerability_read: 'Vulnerabilities::Read'
@@ -96,7 +97,7 @@ def generate_imported_object
           def setup_vulnerability_finding
             relation_hash['uuid'] = ::Security::VulnerabilityUUID.generate(
               report_type: relation_hash['report_type'],
-              primary_identifier_fingerprint: "",
+              primary_identifier_fingerprint: relation_hash['primary_identifier_fingerprint'],
               location_fingerprint: relation_hash['location_fingerprint'],
               project_id: relation_hash['project_id']
             )
diff --git a/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb b/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
index 776f4aec65fa..9f88bf2373b7 100644
--- a/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
@@ -442,6 +442,17 @@
       expect(finding.metadata_version).to eq('15.1.4')
       expect(finding.raw_metadata).to include('Regular expression with non-literal value')
     end
+
+    it 'restores vulnerability identifiers' do
+      vulnerability = @project.vulnerabilities.find_by(title: 'Regular expression with non-literal value')
+      identifier = vulnerability.identifiers.first
+
+      expect(vulnerability.identifiers.count).to eq(5)
+      expect(identifier.name).to eq('eslint.detect-non-literal-regexp')
+      expect(identifier.external_type).to eq('semgrep_id')
+      expect(identifier.external_id).to eq('eslint.detect-non-literal-regexp')
+      expect(identifier.fingerprint).to eq('a751f35f1185de7ca5e6c0610c3bca21eb25ac9a')
+    end
   end
   # rubocop:enable RSpec/InstanceVariable
 end
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index 3b9c620c257d..03ae93eaced3 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -1227,6 +1227,7 @@ ee:
         - vulnerability_finding:
           - :scanner
           - :primary_identifier
+          - :identifiers
           - :initial_finding_pipeline
           - :latest_finding_pipeline
         - vulnerability_read:
@@ -1318,6 +1319,7 @@ ee:
       - :project_fingerprint
       - :project_id
       - :location_fingerprint
+      - :primary_identifier_fingerprint
       - :name
       - :report_type
       - :severity
@@ -1329,13 +1331,14 @@ ee:
       - :name
       - :vendor
       - :external_id
-    primary_identifier:
+    identifiers: &identifiers_definition
       - :project_id
       - :external_type
       - :external_id
       - :fingerprint
       - :name
       - :url
+    primary_identifier: *identifiers_definition
     vulnerability_finding:
       - :uuid
       - :project_fingerprint
diff --git a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
index 2f969f7b75d4..8b30fd71113d 100644
--- a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
+++ b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/vulnerabilities.ndjson
@@ -1,3 +1,3 @@
-{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"4ce7494840bb1882d5a9003b0f272f8e3e22c7a5","location_fingerprint":"4f7a2fffbb791c4cc8d1454db40b80f7fa9ed5be","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"b13b66b99eabefb8bc0d385b90cb952734e246ff3477a8ee563d6d04ef4bded4\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:515:515\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"common/static/ace/ext-language_tools.js\",\"start_line\":515},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"common/static/ace/ext-language_tools.js\",\"line_start\":515,\"line_end\":515,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"common/static/ace/ext-language_tools.js|func[0]:498\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa74cb01-2544-5d42-b9e8-0150119bf6cb","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
-{"project_id":5,"author_id":1,"title":"Incorrect regular expression","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"46e1dffeb673fa9e3de7343653b84dd9826e7312","location_fingerprint":"f866afbfc47ac0fae0da7c6df8e5ed35330e4384","name":"Incorrect regular expression","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"0152dfdd49aa1b9636cd267c12d080250199f15f21f427d3bed1a07a002e011f\",\"category\":\"sast\",\"name\":\"Incorrect regular expression\",\"description\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\\n\",\"cve\":\"semgrep_id:nodejs_scan.javascript-dos-rule-regex_dos:1050:1052\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"start_line\":1050,\"end_line\":1052},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"nodejs_scan.javascript-dos-rule-regex_dos\",\"value\":\"nodejs_scan.javascript-dos-rule-regex_dos\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A05:2021 - Security Misconfiguration\",\"value\":\"A05:2021\"},{\"type\":\"owasp\",\"name\":\"A6:2017 - Security Misconfiguration\",\"value\":\"A6:2017\"},{\"type\":\"njsscan_rule_type\",\"name\":\"NodeJS Scan ID javascript-dos-rule-regex_dos\",\"value\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"line_start\":1050,\"line_end\":1050,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js|func($, undefined)[0]:1034\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa2589df-c1ad-5108-93f0-90237b17c1b1","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
-{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"ea561c323d8e5e87040ad59ca2b926f2b005255c","location_fingerprint":"708aa3150b2b448e6894dd447689336d0ce63f19","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"f8c645cd515f94924c9a8fe73cc3e2bcf08b90ee9936462b6da57b6c28b52803\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:1108:1108\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"start_line\":1108},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"line_start\":1108,\"line_end\":1108,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js|func($, undefined)[0]|getNumber[0]:4\"}]}]}}","detection_method":"gitlab_security_report","uuid":"f72b22e4-1e01-5c53-95a5-5e3a1e2f2b16","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"initial_finding_pipeline":{"iid":1},"latest_finding_pipeline":{"iid":1}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"4ce7494840bb1882d5a9003b0f272f8e3e22c7a5","location_fingerprint":"4f7a2fffbb791c4cc8d1454db40b80f7fa9ed5be","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"b13b66b99eabefb8bc0d385b90cb952734e246ff3477a8ee563d6d04ef4bded4\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:515:515\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"common/static/ace/ext-language_tools.js\",\"start_line\":515},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"common/static/ace/ext-language_tools.js\",\"line_start\":515,\"line_end\":515,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"common/static/ace/ext-language_tools.js|func[0]:498\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa74cb01-2544-5d42-b9e8-0150119bf6cb","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"identifiers":[{"project_id":5,"fingerprint":"08de3511f2132da4d24f1b8b1d3ca14368a0259b","external_type":"owasp","external_id":"A1:2017","name":"A1:2017 - Injection","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"a15f44ab746431d58b21b4fc67d8c4d3fb160ca0","external_type":"eslint_rule_id","external_id":"detect-non-literal-regexp","name":"ESLint rule ID/detect-non-literal-regexp","url":null},{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},{"project_id":5,"fingerprint":"a8e828eea3aba35916401da9304619f0a218119b","external_type":"owasp","external_id":"A03:2021","name":"A03:2021 - Injection","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Incorrect regular expression","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"46e1dffeb673fa9e3de7343653b84dd9826e7312","location_fingerprint":"f866afbfc47ac0fae0da7c6df8e5ed35330e4384","name":"Incorrect regular expression","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"0152dfdd49aa1b9636cd267c12d080250199f15f21f427d3bed1a07a002e011f\",\"category\":\"sast\",\"name\":\"Incorrect regular expression\",\"description\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\\n\",\"cve\":\"semgrep_id:nodejs_scan.javascript-dos-rule-regex_dos:1050:1052\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"start_line\":1050,\"end_line\":1052},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"nodejs_scan.javascript-dos-rule-regex_dos\",\"value\":\"nodejs_scan.javascript-dos-rule-regex_dos\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A05:2021 - Security Misconfiguration\",\"value\":\"A05:2021\"},{\"type\":\"owasp\",\"name\":\"A6:2017 - Security Misconfiguration\",\"value\":\"A6:2017\"},{\"type\":\"njsscan_rule_type\",\"name\":\"NodeJS Scan ID javascript-dos-rule-regex_dos\",\"value\":\"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js\",\"line_start\":1050,\"line_end\":1050,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.sortable.js|func($, undefined)[0]:1034\"}]}]}}","detection_method":"gitlab_security_report","uuid":"fa2589df-c1ad-5108-93f0-90237b17c1b1","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null},"identifiers":[{"project_id":5,"fingerprint":"2bd02e525f0e78f8745e5a063ca1b5f396527a41","external_type":"owasp","external_id":"A6:2017","name":"A6:2017 - Security Misconfiguration","url":null},{"project_id":5,"fingerprint":"3f2c4e94cf8c0b53c44cb5b187963b753da9e882","external_type":"owasp","external_id":"A05:2021","name":"A05:2021 - Security Misconfiguration","url":null},{"project_id":5,"fingerprint":"518290ee3e47f4a5bba33213ca8a82e4c0d8697d","external_type":"njsscan_rule_type","external_id":"Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.","name":"NodeJS Scan ID javascript-dos-rule-regex_dos","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"ad9e1d2b073e1c296088e8fbedf8ed738d06f88a","external_type":"semgrep_id","external_id":"nodejs_scan.javascript-dos-rule-regex_dos","name":"nodejs_scan.javascript-dos-rule-regex_dos","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
+{"project_id":5,"author_id":1,"title":"Regular expression with non-literal value","description":null,"severity":"medium","report_type":"sast","vulnerability_finding":{"severity":"medium","report_type":"sast","project_id":5,"project_fingerprint":"ea561c323d8e5e87040ad59ca2b926f2b005255c","location_fingerprint":"708aa3150b2b448e6894dd447689336d0ce63f19","name":"Regular expression with non-literal value","metadata_version":"15.1.4","raw_metadata":"{\"id\":\"f8c645cd515f94924c9a8fe73cc3e2bcf08b90ee9936462b6da57b6c28b52803\",\"category\":\"sast\",\"name\":\"Regular expression with non-literal value\",\"description\":\"The `RegExp` constructor was called with a non-literal value. If an adversary were able to\\nsupply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)\\nagainst the application. In Node applications, this could cause the entire application to no\\nlonger be responsive to other users' requests.\\n\\nTo remediate this issue, never allow user-supplied regular expressions. Instead, the regular \\nexpression should be  hardcoded. If this is not possible, consider using an alternative regular\\nexpression engine such as [node-re2](https://www.npmjs.com/package/re2). RE2 is a safe alternative \\nthat does not support backtracking, which is what leads to ReDoS.\\n\\nExample using re2 which does not support backtracking (Note: it is still recommended to\\nnever use user-supplied input):\\n```\\n// Import the re2 module\\nconst RE2 = require('re2');\\n\\nfunction match(userSuppliedRegex, userInput) {\\n    // Create a RE2 object with the user supplied regex, this is relatively safe\\n    // due to RE2 not supporting backtracking which can be abused to cause long running\\n    // queries\\n    var re = new RE2(userSuppliedRegex);\\n    // Execute the regular expression against some userInput\\n    var result = re.exec(userInput);\\n    // Work with the result\\n}\\n```\\n\\nFor more information on Regular Expression DoS see:\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\",\"cve\":\"semgrep_id:eslint.detect-non-literal-regexp:1108:1108\",\"severity\":\"Medium\",\"scanner\":{\"id\":\"semgrep\",\"name\":\"Semgrep\"},\"location\":{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"start_line\":1108},\"identifiers\":[{\"type\":\"semgrep_id\",\"name\":\"eslint.detect-non-literal-regexp\",\"value\":\"eslint.detect-non-literal-regexp\",\"url\":\"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp\"},{\"type\":\"cwe\",\"name\":\"CWE-185\",\"value\":\"185\",\"url\":\"https://cwe.mitre.org/data/definitions/185.html\"},{\"type\":\"owasp\",\"name\":\"A03:2021 - Injection\",\"value\":\"A03:2021\"},{\"type\":\"owasp\",\"name\":\"A1:2017 - Injection\",\"value\":\"A1:2017\"},{\"type\":\"eslint_rule_id\",\"name\":\"ESLint rule ID/detect-non-literal-regexp\",\"value\":\"detect-non-literal-regexp\"}],\"tracking\":{\"type\":\"source\",\"items\":[{\"file\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js\",\"line_start\":1108,\"line_end\":1108,\"signatures\":[{\"algorithm\":\"scope_offset\",\"value\":\"themis/static/assets/plugins/jquery-ui/ui/jquery.ui.datepicker.js|func($, undefined)[0]|getNumber[0]:4\"}]}]}}","detection_method":"gitlab_security_report","uuid":"f72b22e4-1e01-5c53-95a5-5e3a1e2f2b16","scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"},"primary_identifier":{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},"identifiers":[{"project_id":5,"fingerprint":"08de3511f2132da4d24f1b8b1d3ca14368a0259b","external_type":"owasp","external_id":"A1:2017","name":"A1:2017 - Injection","url":null},{"project_id":5,"fingerprint":"7153fe286fd77c7a6250aa9603b82d44ab1c31e4","external_type":"cwe","external_id":"185","name":"CWE-185","url":"https://cwe.mitre.org/data/definitions/185.html"},{"project_id":5,"fingerprint":"a15f44ab746431d58b21b4fc67d8c4d3fb160ca0","external_type":"eslint_rule_id","external_id":"detect-non-literal-regexp","name":"ESLint rule ID/detect-non-literal-regexp","url":null},{"project_id":5,"fingerprint":"a751f35f1185de7ca5e6c0610c3bca21eb25ac9a","external_type":"semgrep_id","external_id":"eslint.detect-non-literal-regexp","name":"eslint.detect-non-literal-regexp","url":"https://semgrep.dev/r/gitlab.eslint.detect-non-literal-regexp"},{"project_id":5,"fingerprint":"a8e828eea3aba35916401da9304619f0a218119b","external_type":"owasp","external_id":"A03:2021","name":"A03:2021 - Injection","url":null}],"initial_finding_pipeline":{"iid":438},"latest_finding_pipeline":{"iid":438}},"vulnerability_read":{"project_id":5,"scanner":{"project_id":5,"external_id":"semgrep","name":"Semgrep","vendor":"GitLab"}}}
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index 8e1bccf92a16..ef0808757901 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -1214,10 +1214,11 @@ vulnerability_finding:
 scanner:
   - findings
   - security_findings
-primary_identifier:
+identifiers: &identifiers_definition
   - finding_identifiers
   - findings
   - primary_findings
+primary_identifier: *identifiers_definition
 initial_finding_pipeline: *pipeline_definition
 latest_finding_pipeline: *pipeline_definition
 vulnerability_read:
-- 
GitLab