Hi Stephane,
both fields are codes that are documented in the STIG standard documents published by DISA. The meaning of these fields is as follows:
- VULN, this field is named VULID in CARLa and refers to the STIG Vulnerability ID
- VMS stands for Vulnerability Management System number
When you use zSecure Audit to run compliance evaluations (option AU.R), the goal test details display contain a section named "References" near the bottom of all goal test results that reports the references that are relevant for the concerning STIG control. For example:
Standard
Standard name RACF_zOS_STIG
Version of standard 9.02
Description of standard
IBM z/OS RACF Security Technical Implementation Guide (STIG)
References
CCI=CCI-000213
CCI=CCI-002235
FAMILY=RACF-ES
STIGID=RACF-ES-000190
VMS=4101
VULID=V-223667
You can download the STIG standards here: https://public.cyber.mil/stigs/downloads/
In CARLa, you can use the fields REF_VMS and REF_VULID in newlist type COMPLIANCE.
They are documented in the zSecure CARLa SELECT/LIST fields manual as:
REF_VMS
This repeating field shows all reference values for a reference named VMS (must be defined withDEF_REF VMS). Contrary to the representation in field CONTROL_REF, the values are not prefixed with VMS=. VMS is used in the DISA STIG XML files to enumerate asset types.
REF_VULID
This repeating field shows all reference values for a reference named VULID= (must be defined with DEF_REF VULID). Contrary to the representation in field CONTROL_REF, the values are not prefixed with VULID=.
You can access the zSecure CARLa SELECT/LIST fields manual here: https://www.ibm.com/docs/en/szs/3.1.0?topic=fields-compliance-newlist-types-specific-compliance-reports
I hope this helps.