Leverage CODEOWNERS in Vulnerability Reports
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
When working with large projects like gitlab-org/gitlab, it gets difficult to manage all the vulnerabilities with a single Vulnerability Report. We have a lot of different teams involved in the development of this project, and understanding what team is responsible for the reported code can be tedious.
To help with that, we can leverage the CODEOWNERS feature that we hopefully tend to dogfood everywhere at GitLab. For example, in the gitlab report, the CODEOWNERS file tells us that app/models/vulnerability.rb is owned the Threat Insights group. If a vulnerability is found in this file, it would help the person triaging the vulnerability to contact the right group.
Therefore, we can leverage this data in two different places:
- In the Vulnerability Page: Indicate whether if a group or user is associated with the location of the vulnerability. It doesn't have to be in the main table of the Vulnerability page.
- In the Vulnerability Report: Each team would be able to filter the vulnerability by the files/folders they're responsible for.
The latter would really help with the adoption of the "Shifting Left" methodology we strive to apply at GitLab. By reducing the visible scope for each team, we make the Vulnerability Reports less overwhelming, and make the whole process more efficient.
Another place this could be useful is when creating an issue from a vulnerability. We should be able to pull the list of users/aliases into the new issue template as suggested assignment using the /assign @user1 @user2 quick action.