Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Vulnerabilities are created as confidential by default - backstage

Problem to solve

The backstage implementation of the First-class Vulnerabilities has introduced the Vulnerability entity. The MVC Standalone Vulnerability objects will provide the frontend representation for these objects. But currently, they are created as "visible by anyone object".

Intended users

Sam (Security Analyst)

Proposal

According to engineering discovery, Vulnerabilities should be created confidential by default. Confidential Vulnerabilities should work in the same way as Confidential Issues from the UX and permissions perspective.

Permissions and Security

Copy the confidential Issues permissions model to Vulnerabilities

Documentation

[-] ~~Update the Vulnerabilities user docs page~~ this is not required, it's enough to update the Permissions page stub, which has already been performed.
[-] ~~Update the Create a Vulnerability from Finding API docs entry~~ the same

Testing

See the development log.

What does success look like, and how can we measure that?

GitLab users won't have the vulnerabilities information disclosed for their projects.

What is the type of buyer?

GitLab Ultimate

Links / references

Development log

Status

Introduce new permission read_vulnerability for read operations on Vulnerabilities as an alias for read_project_security_dashboard ability
[-] ~~Implement the VulnerabilityPolicy rules for confidentiality similarly to IssuePolicy and use the read_vulnerability ability as a prerequisite for all checks~~ There's no need in separate VulnerabilityPolicy, everything can be decided at EE::ProjectPolicy
Add new tests
- New access tests for GET /projects/:id/vulnerabilities endpoint
- New access tests for create_vulnerability
  - First, wait for !18283 (merged) is merged
  - Vulnerabilities::CreateService
  - POST /projects/:id/vulnerabilities endpoint
- New access tests for resolve_vulnerability
  - Vulnerabilities::ResolveService
  - POST /vulnerabilities/:id/resolve endpoint
- New access tests for dismiss_vulnerability
  - Vulnerabilities::DismissService
  - POST /vulnerabilities/:id/dismiss endpoint

Decisions

Vulnerabilities are confidential but the minimum access level required is Developer
There's no need in separate VulnerabilityPolicy, everything can be decided at EE::ProjectPolicy

Edited Nov 03, 2019 by Victor Zagorodny

Assignee Loading

Time tracking Loading