This section provides orientation on managing the catalogue of vulnerabilities.
Vulnerabilities identified in technology assets by scanners integrated with the system are automatically included in this catalogue. They can also be manually registered and imported to the system through a specially prepared Excel spreadsheet. Once included in the catalogue, occurrences of vulnerabilities can be manually mapped to technology assets in the organizational structure through a second spreadsheet. These will be displayed in the Vulnerabilities tab for technology assets in the organizational structure and consolidated for the perimeters they belong to. These technology assets can then be included in risk projects, where any vulnerabilities automatically or manually mapped to them can enter the risk management cycle.
Note that you can configure time limits for the associations between vulnerabilities and assets to expire or be deleted. After the configured time for expiration, the vulnerabilities will remain in the catalogue but will no longer be associated with assets in the Organization module and, when processed in risk projects, the Risk Score will not be calculated for them. However, after the configured time for deletion, the associations between vulnerabilities and assets will be permanently deleted from the system. The vulnerabilities will remain registered in the system, but will no longer be associated with assets, and their associations with events for treating vulnerabilities will remain.
For details on creating routines to automatically import vulnerabilities identified by external scanners, see Chapter 17: Administration -> Integrations -> Integration Tasks. For details on mapping occurrences of vulnerabilities to assets in the organizational structure, see Chapter 5: Risk -> Vulnerabilities. For details on configuring the expiration and deletion time for vulnerabilities, see Chapter 17: Administration -> Settings -> Obsolete Elements.