Manually change or override a detected vulnerability's severity

Problem to solve

In certain cases users want to change the default severity levels of vulnerabilities. For instance, the severity as set by one of the Secure scanners may be lower than organization thinks because of their particular environment or setup. In this case, they would want to set severity higher such that it gets proper attention during triage and remediation.

Intended users

• Delaney (Development Team Lead)
• Sam (Security Analyst)

Proposal

Allow a user to manually override the severity on the vulnerability report:

Scope

Phase One

• Severity can be manually adjusted to one of the GitLab vulnerability severity levels:
  • Critical
  • High
  • Medium
  • Low
  • Info
  • Unknown
• While manually overriding a severity from the vulnerability report, the user can select only one vulnerability (if bulk selection is desired, that can be added in a later phase, and/or can be handled by phase 2 - via a severity override policy).
• A visual indication on the vulnerability report designates that a vulnerability's severity has been overridden
• A manual severity adjustment is not overwritten by subsequent scanner runs for this same occurrence/vulnerability
• The severity override also populates to the merge request widget and security policies
• Severity can be reset to the original level provided by GitLab analyzers
• An audit event is recorded for all adjustments noting what the severity was changed to and from and the user who made the change
• If a customer has their own severity override scoring system, they can use the Vulnerability ID to pull vulnerabilities, override them at scale, and inject the new results into the GitLab platform. These overridden severities are also adjusted downstream (MR widget, security policies).

Phase Two

Automated Vulnerability Severity Overrides/Cust... (&15839)

Permissions and Security

• Only Maintainer+ role can adjust severity
• Custom permission admin_vulnerability may also adjust severity

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.