Threat Insights 16.5 Planning
Summary
In 16.5 we will:
- Start [Experiment] - Vulnerability Resolution (&10779 - closed) with a backend proof of concept.
- Support groupcomposition analysis to bring the MVC for CVSS support in GitLab.
- Make sure users can easily identify Identify new vulnerabilities in the pipeline se... (#421056).
- Release the MVC of Vulnerability report grouping (&10164) which will allow grouping by status and severity.
- Start work on Migrate Pipeline Security Tab to GraphQL (&8054) which removes tech-debt and unblocks some feature work.
- Add vulnerability filtering by "Has Merge Request"
- Tackle a healthy amount of bugs
😄 - Keep sharing demos of our work
😄 😄
Focus
typefeature focus
- [Experiment] - Vulnerability Resolution (&10779 - closed)
- Integrate standalone finding modal with MR widget (#413516 - closed) • Lorenz van Herwaarden • 16.8 • On track
- Security MR widget shows all findings as new wh... (#390024 - closed) • Mehmet Emin INAC • 16.6, this is a part of this OKR.
-
Add support for CVSS: first iteration (&11213 - closed) (DRI: @Quintasan)
- Add support for CVSS vectors in the security re... (#422031 - closed) • Oscar Tovar • 16.5 • On track customer
- Create database columns to store CVSS vector (#424019 - closed) • Michael Becker • 16.5 • On track
- Add model-level validations for CVSS vector (#424020 - closed) • Subashis Chakraborty • 16.5 • On track
- Adjust vulnerabilities ingestion pipeline to ac... (#424021 - closed) • Michał Zając • 16.5 • On track
-
Use database for project dependency list (&8293 - closed) (DRI: @zmartins)
- backend Add GraphQL support for license data in relatio... (#422254 - closed) • Zamir Martins • 16.4 • On track
- backend [Spike] Add advisory data as part of SBOM occur... (#422258 - closed) • Zamir Martins • 16.5 • On track
- backend Add a feature flag to toggle between `dependenc... (#393061 - closed) • David Pisek, Zamir Martins • 16.9 • On track
- backend Add vulnerabilities into sbom_occurrences. (#426121 - closed) • Zamir Martins • 16.5
- backend Update sbom_occurrences ingestion in order to f... (#426122 - closed) • Zamir Martins • 16.7 • On track
- backend Add vulnerabilities as part of graphql dependen... (#426123 - closed) • Zamir Martins • 16.7 • On track
- backend Update dependency entity to support vulnerabili... (#426124) • Unassigned • Backlog
- backend Update dependencies related UI components to in... (#426125) • Unassigned • Backlog
- backend Add support to sorting (two levels) based on th... (#426126 - closed) • Zamir Martins • 16.7 • Needs attention
-
Post-MVC Group/Sub-group level Dependency List (&10090) (DRI: BE @mokhax, FE @dpisek)
- frontend Add "project" filter option to group-level depe... (#422356 - closed) • David Pisek, Brian Williams • 16.7 • On track
- frontend Add "license" filter option to group-level depe... (#422355 - closed) • David Pisek, mo khan • 16.5 • On track
- backend [Feature flag] Rollout of `ingest_sbom_licenses` (#423466 - closed) • mo khan • 16.5 • On track
- backend Add `&licenses[]=<spdx_id>` query string parame... (#422087 - closed) • mo khan • 16.5 • On track
- backend Add `&component_names[]=` query string paramete... (#422088 - closed) • David Pisek, mo khan • 16.5 • On track
- backend Add `&package_managers[]=` query string paramet... (#422089 - closed) • mo khan • 16.5 • On track
- backend Add `<group>/-/dependencies/licenses.json` to r... (#422293 - closed) • David Pisek, mo khan • 16.5 • On track
- Granular Security Permissions (&10684 - closed) (DRI: @mokhax)
-
Additional Activity filters for Vulnerability R... (&7883 - closed)
- Frontend: Add hasMergeRequest filter to Vulnera... (#424649 - closed) • Samantha Ming • 16.5
- Database: Add hasRemediations filter to Vulnera... (#420617 - closed) • Bala Kumar • 16.5 • On track
- Backend: Add hasRemediations filter to Vulnerab... (#358638 - closed) • Subashis Chakraborty • 16.7 • On track
-
Vulnerability report grouping (&10164) (DRIs: backend @bala.kumar , frontend @svedova)
- backend BE: Model changes to support vulnerability repo... (#425783) • Bala Kumar • Backlog • Needs attention
- backend BE: GraphQL to support vulnerability report gro... (#425786) • Bala Kumar • Backlog • On track
- backend Spike: Investigate storing OWASP top 10 labels ... (#423557 - closed) • Bala Kumar • 16.6
- Update vulnerability list data when group is se... (#424345 - closed) • Samantha Ming • 16.5
- Display number of items for each group (#424441 - closed) • Daniel Tian • 16.5
- Store selected group into URL (#424348 - closed) • Savas Vedova • 16.5
-
Restructure vulnerability report's Tool filter (&11237 - closed) (DRIs: frontend @sming-gitlab) workflowplanning breakdown
- frontend Connect project tool filter under FF `project_... (#424349 - closed) • Samantha Ming, Daniel Tian • 16.6
- frontend Expose additional scanner data in HAML (#424350 - closed) • Samantha Ming • 16.5
- frontend Update the UI of the project tool dropdown with... (#424351 - closed) • Samantha Ming • 16.5
- frontend Ensure the dropdown selection function as expected (#424473 - closed) • Samantha Ming • 16.5
typemaintenance focus
- Follow-up after deprecate the use of Vulnerabil... (&9552) (DRI: @mallocke)
- Proper 1:1 relationship between Vulnerabilities... (&11030 - closed) (DRI: @Quintasan)
- [Spike] Investigate scope changes of GraphQL mi... (#425934 - closed) • David Pisek • 16.6 • On track Threat InsightsTangerine (DRI: @dpisek)
typebug focus
-
priority2 / severity2
- Performance issues on vulnerability_findings en... (#411666 - closed) • Subashis Chakraborty • 16.9 • On track
- Dismissing finding does not set dismissal reaso... (#424989 - closed) • Subashis Chakraborty, Michael Becker • 16.5 Threat InsightsNavy
- Database timeout when viewing the group depende... (#425274) • Brian Williams • 17.2 • On track
- priority2 / severity3
- priority2 / severity4
- priority3 / severity3
- priority4
Extra
- Vue.js 3 Migration Working Group ( @sming-gitlab)
- Software supply-chain security Working Group ( @bwill backend, @dftian frontend )
- CSS utilities Working Group ( @svedova, @dpisek)
What's on the horizon?
- MR Security widget - migrate to GraphQL (&10962) Threat InsightsNavy (DRIs: frontend TBD backend TBD)
- Use rubygem to release security report schemas (&9314) (needs a DRI; currently assigned to Threat InsightsTangerine)
- Change 1:N to 1:1 relation between Vulnerabilit... (&10819) Threat InsightsTangerine (DRI: @Quintasan)
- Delete `vulnerability_occurrence_pipelines` table (&11241) Threat InsightsTangerine (DRI: TBC)
Team OKRs
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3523+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/4222+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3371+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3368+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3369+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3370+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/3810+
- https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/4118+
Planning Boards
- Delivery Board - columns are workflow labels
- Planning Board - columns are milestones
-
Set the Milestone (current Milestone) -
Update the Milestone link for the Planning Board -
Set the Due Date for the end of the current Milestone
Edited by Alana Bellucci