Skip to content

Add temporary error budget exception for Threat Insights

Thiago Figueiró requested to merge thiagocsf/ti-error-budget-exception into master

Why is this change being made?

Add an exception entry for groupthreat insights to Stage Groups with different error budgets.

Proposed temporary budget: 99.5%.

Reason for exception

  1. Work for improving the error budget is scoped out and fully planned, and funded. Completing the work will take more than a single release month, and while the work is being completed it is expected that the Error Budget will be regularly spent.

Process

Clear description of the problem that is the cause of the budget spend

By far, the largest contributor to the budget spend are requests to GET /api/:version/projects/:id/vulnerability_findings. This request relies on an early design decision to store vulnerability findings as CI pipeline artifacts, in format of JSON reports.

There are two relevant Epics in progress that will correct this problem:

  1. Deprecate and remove Vulnerabilities::Feedback (gitlab-org&5629 - closed). The request above depends on a model that is being refactored-out. As part of the work, queries that depend on this model will be rewritten.
  2. Extend the use of `security_findings` (gitlab-org&8341 - closed). The content required to fulfill the request above is ultimately still stored as a JSON report, which incurs the cost of fetching the report, and parsing it. This epic improves on this architecture by selectively ingesting parsed JSON information into the postgres DB.

image

Relevant resources showing that the work is scoped out

The epics above are prioritized, and work is under way.

Target date when the exception must be revisited

We expect gitlab-org&5629 (closed) to finish in %15.8, and gitlab-org&8341 (closed) in %15.7. This exception should be revisited in %15.9 (2022-02-22), at which time we expect to be able to rely on the regular budget spend to continue addressing the remaining violations.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Thiago Figueiró

Merge request reports