Link fixed vulnerability to project release

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

As a developer who fixed a vulnerability in a GitLab project and released a new version, I want the fixed vulnerability to be linked to the release where it's been fixed, so that I can easily communicate to users what's been fixed.

This is complementary to the project CHANGELOG, which only gives an overview of the security fixes.

Intended users

User experience goal

1. As a developer, I solve a security issue, and push a security fix to the codebase.
2. I release a new version using project releases.
3. I go back to the vulnerability from which the security issue was created.
4. I dismiss the vulnerability, and link it to the release where it's been fixed.
5. The fixed vulnerability shows up on the release page.

Proposal

• Project releases can be linked from a vulnerability
• Vulnerabilities are listed from project releases

Further details

Permissions and Security

To be discussed: Vulnerabilities linked to project releases would be made visible to users who can see the releases.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

Users can easily get details on what vulnerabilities have been fixed in a given release. They can jump from releases to vulnerabilities.

What is the type of buyer?

Is this a cross-stage feature?

No.

Links / references