Vulnerability scans must be in a native, comma-separated value (CSV) format before they can be used on the SMS. If you use a supported vulnerability management product from Qualys, Rapid7, or Tenable, the SMS can automatically convert those vulnerability scan results into native format.
CSV file specifications
Note the following CSV file specifications (and sequence) before you import a vulnerability scan:
  • The first line in the CSV file must be the column headers for each of the columns.
  • Each row after the header must contain the same number of columns that are in the header.
  • Each column must be delimited with a comma.
  • The value within each column must be wrapped in double quotes; however, embedded double quotes are not permitted ("This is "invalid" data").
  • Each row in a CSV file must be less than 65536 bytes.
Vulnerability scan specifications
The minimum data required for a vulnerability scan is:
  • IP Address - (host IP addresses) The maximum number of host IP address and vulnerability combinations that you can import on the SMS is 10 million. When the SMS reaches the maximum limit, it displays an error message, and you must delete vulnerability scans before you can import a new scan.
  • CVE IDs - CVE must be in the format CVE-YYYY-NNNN where YYYY is a 4 digit year and NNNN is a sequence number.
  • Severity - Vulnerabilities are assigned severity levels to define the urgency associated with remediating each vulnerability. Rankings are based on a variety of industry standards including CVE.