Begin architecture document for tracking vulnerabilities across multiple branches
Why is this change being made?
Vulnerability Management and Tracking across multiple branches is potentially one of the most requested Sec features in GitLab and has been for a long time. For a variety of reasons it has not yet been feasible to implement this due to scaling and performance concerns.
Finally after a concerted effort to improve a variety of these concerns, none-the-least the decomposition of the Sec database to give us dedicated DB room to facilitate such substantial features, we should now be able to consider implementing a feature like that which will require tracking orders of magnitude more information than was previously necessary, and holding a similarly massive amount of data ready in cache so that users can filter and read it on demand.
While the new Sec DB gives us a lot of room, we still need to be sure that what we build here will scale and function well lest we commit ourselves to years more technical debt.
This MR served as a springboard for a lot of brainstorming to find a suitable implementation that will allow us to track vulnerability differentials across a codebase and construct vulnerability reads to view a particular branch on demand.
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Division: If the update affects your division, share the MR in your division Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
Commits
- Begin architecture document for tracking vulnerabilities across multiple branches