Show linked vulnerabilities in Issues

Problem to solve

Vulnerabilities can be linked to one or more Issues which will display on a vulnerability's details page. However, this relationship is not shown on the Issue. If I am looking at an Issue, I have no way to know if it is linked with a vulnerability. I also have no way of adding or removing any vulnerability links from the Issue (I can only do this from the vulnerability).

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

A user should be able to load an Issue and quickly view, add, or remove links to vulnerabilities.

Proposal

Mirror how the Related Issues feature on an Issue works today. Possibly create a new Related Vulnerabilities block.

Further details

Considerations:

• Do we allow linking the same vulnerability from more than one Issue?
• Can an Issue be linked to more than one vulnerability?

Requirements

• The component to view/add/remove vulnerabilities will only appear for Ultimate/Gold customers
• Add new metrics capture for adding and removing vulnerability links

Permissions and Security

We need to be careful not to leak information to non-privileged users. Users should only be able to:

• See linked vulnerabilities for which they have permissions to access; if not, they do not see anything
• Search for and link to only vulnerabilities for which they have permissions to access

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

This will impact devopsplan as it lives on the Issue page.