Security Insights 17.7 Planning Issue

Summary

Areas of focus	DRI	Delivery Scope for current milestone	Completion Milestone	Status (mid-milestone checkpoint)
typefeatureDuo Vulnerability Resolution GA (&14847)	frontend @sming-gitlab backend @subashis	GA release	17.7	Neil: On Track for 17.7.
typefeatureAuto-resolve vulnerabilities when not found in subsequent scans	backend @bwill frontend @lorenzvanherwaarden	MVC release	17.7	Neil: This project is worked on between groupsecurity insights and groupsecurity infrastructure team members. @ryaanwells is the EM.
typefeatureCVSS / EPSS / KEV in vulnerability report and vulnerability details	frontend @svedova	Full release	17.7	Neil: @svedova is collaborating with groupcomposition analysis to understand data readiness and how that influences the frontend delivery timeline.
typefeatureFilter by Identifier on the Vulnerability Report (&13340)	backend @bala.kumar frontend @svedova	Limited release	17.7	Limited to Project only, without pagination. Limited by Postgres capabilities Neil: This project is worked on between groupsecurity infrastructure and groupsecurity infrastructure team members. @ryaanwells is the EM.
typefeatureDependency list - Filter by specific version in... (#504984 - closed)		Specific capability to be defined in Status	17.7	Neil: We do not have backend capacity for this unless prioritized above other work.
typefeaturehttps://gitlab.com/groups/gitlab-org/-/epics/15372+	groupsecurity infrastructure	Full coverage according to defined in issue	17.7	Neil: Scope for 17.7 is being done in groupsecurity infrastructure
typefeaturehttps://gitlab.com/gitlab-org/gitlab/-/issues/425327+ -	@beckalippert	Eng - [TBD] design	17.8	Neil: We need to align a Backend DRI for this, but are limited capacity in 17.7.
typefeatureDesign: End-user Static Reachability UX/UI (#480356 - closed)	@beckalippert	Eng - [TBD] design	17.8	Neil: Per Dean this is highest priority of the design scope. We need to align a Backend DRI for this, but are limited capacity in 17.7.
typefeature Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed)	@beckalippert	Eng - [TBD] design	17.8
typebug Add Vulnerabilities Detected Headline to Depend... (#502335 - closed)	backend @wandering_person frontend @charlieeekroon	Full Resolution	17.7
typebugSplit the "Tool" filter into separate filters f... (#503371 - closed)	backend @charlieeekroon	Full Resolution	17.7	Neil: This may be a complex item. We are committed to doing refinement in 17.7, and starting development once better understood.

Team member focuses

Name		Focus Areas	Notes
@bwill	backend	Auto-resolve vulnerabilities when not found in ... (&5708 - closed)	At capacity
@charlieeekroon	backend	Add commit link that removed vulnerability (#372799 - closed) • Brian Williams • 17.9 • On track Add Vulnerabilities Detected Headline to Depend... (#502335 - closed) Refinement and possible start of Split the "Tool" filter into separate filters f... (#503371 - closed)	At capacity
@subashis	backend	Duo Vulnerability Resolution GA (&14847)	At capacity
@wandering_person	backend	Duo Vulnerability Resolution GA (&14847) Add Vulnerabilities Detected Headline to Depend... (#502335 - closed)	Some capacity, but can't disrupt AI GA.
@dpisek	frontend	Duo Vulnerability Resolution GA (&14847)	Some capacity
@lorenzvanherwaarden	frontend	Auto-resolve vulnerabilities when not found in ... (&5708 - closed) Centralize vulnerability report query string sy... (&15948 - closed) as lower priority [frontend] Add resolve limit info message (#505706 - closed)	Some capacity
@svedova	frontend	Show EPSS, CVSS, KEV on vulnerabilities Centralize vulnerability report query string sy... (&15948 - closed) as lower priority	Some capacity
@sming-gitlab	frontend	Duo Vulnerability Resolution GA (&14847)	At capacity

Details

Auto-resolve vulnerabilities when not found in subsequent scans

1. [backend] Link compliance frameworks with vulne... (#497820 - closed)
2. [backend] Auto-resolve vulnerabilities using vu... (#465976 - closed)
3. [backend] Adjust state changing services to uns... (#499612 - closed)
4. [backend] Add internal event to track how many ... (#478029 - closed)
5. [frontend integration] Add integration tests fo... (#465972 - closed)
6. [frontend] Limit the amount of rules per policy (#503841 - closed)
7. [frontend] Add resolve limit info message (#505706 - closed)
8. UAT tests for 'Auto-resolve vulnerabilities whe... (#503983 - closed)

CVSS / EPSS / KEV in vulnerability report and vulnerability details

OKR: https://gitlab.com/gitlab-com/gitlab-OKRs/-/work_items/9901+

frontend scope

1. [FE] - Add EPSS/KEV/CVSS scores to vulnerabilit... (#497388 - closed) • Savas Vedova • 17.8
2. [FE] - Add KEV score to vulnerability report table (#502953 - closed) • Unassigned • 17.7
3. [FE] - Add EPSS/KEV/CSVV score to single vulner... (#499407 - closed) • Savas Vedova • 17.9
4. [FE] - Add KEV score to single vulnerability view (#502952 - closed) • Unassigned • Backlog

backend scope

1. Knowledge transfer and understanding how these new datapoints are being integrated.

Filter by Identifier on the Vulnerability Report (&13340)

1. [Backend] Implement filtering of vulnerabilitie... (#432419 - closed) • Bala Kumar • 17.7 • On track
2. [Frontend] Add Identifier filter to the filtere... (#452492 - closed) • Savas Vedova • 17.7 • On track

Filter/Search Dependency List (Project / Group ... (&15305)

1. Filter by package name AND specific version
2. [BE] Implement License sort and filter on Graph... (#493777)

AI

Duo Vulnerability Resolution GA (&14847)

• Changes to VR in MR workflow (#503403 - closed) • Darby Frey, Subashis Chakraborty+ • 17.7 • On track backend
• Add warning if VR's MR will be public (#501291 - closed) • David Pisek, Neil McCorrison • 17.7 frontend
• Vulnerability Resolution in the MR - Instrument... (#501476 - closed) • Subashis Chakraborty • 17.7 backend
• UAT for Vulnerability Resolution in the Merge R... (#500101 - closed) • Unassigned • 17.8
• Implement /explain on vulnerability page [GitLab] (#471242) • Unassigned • Backlog frontend

typefeature focus (non-Project)

1. Consider defaulting Operational Vulnerabilities... (#501119) • Unassigned • Backlog frontend (blocked by &15948 (closed) planned in typemaintenance )
2. Vulnerability Report: Update "Solution availabl... (#504502) • Becka Lippert frontend Stretch
3. Add commit link that removed vulnerability (#372799 - closed) • Brian Williams • 17.9 • On track

typemaintenance focus

1. https://gitlab.com/groups/gitlab-org/-/epics/15372+
   1. https://gitlab.com/gitlab-org/gitlab/-/issues/496524+s
   2. https://gitlab.com/gitlab-org/gitlab/-/issues/497823+s
   3. https://gitlab.com/gitlab-org/gitlab/-/issues/497826+s
   4. https://gitlab.com/gitlab-org/gitlab/-/issues/497828+s
   5. https://gitlab.com/gitlab-org/gitlab/-/issues/496537+s
   6. https://gitlab.com/gitlab-org/gitlab/-/issues/497825+s
   7. https://gitlab.com/gitlab-org/gitlab/-/issues/497822+s
2. Start using only the `Security::Finding` instea... (#393394 - closed) • Adrien Narinesingh • On track
3. https://gitlab.com/gitlab-org/gitlab/-/issues/497093+s backend
4. Centralize vulnerability report query string sy... (&15948 - closed) frontend Stretch

typebug focus

1. Split the "Tool" filter into separate filters f... (#503371 - closed) • Charlie Kroon • 17.11 • On track / investigate if #498293 (closed) is a duplicate
2. Add Vulnerabilities Detected Headline to Depend... (#502335 - closed) • Michael Becker, Charlie Kroon • 17.7
3. Require a comment when dismissing vulnerabiliti... (#451480 - closed) • Lorenz van Herwaarden • 17.9

Unplanned bugs. Can be pulled in as capacity allows.

1. Expose report status for security_reports endpoint (#502384) • Unassigned • Backlog
2. Misleading message when pipeline is complete (#468867 - closed) • Unassigned • Backlog
3. 'Create Jira Issue' button in Merge Request wid... (#441954 - closed) • Lorenz van Herwaarden • 18.6
4. Create a GraphQL mutation to create Jira issues... (#452002 - closed) • Lorenz van Herwaarden • 18.5
5. Stop requesting data from Jira when rendering t... (#497199) • Unassigned • Backlog
6. GraphQL errors with partial data on the vulnera... (#498711) • Unassigned • Backlog
7. Unable to filter group level vulnerability repo... (#471613 - closed) • Subashis Chakraborty • 18.1
8. Security scans improperly require a "successful... (#500171)
9. Inconsistent display of vulnerability comment w... (#438342 - closed)

Scope being worked on by other teams

1. Add vulnerabilities as supported webhook events (#366770 - closed) • Ash McKenzie • 17.8 • Needs attention

What's on the horizon?

typefeature

1. https://gitlab.com/gitlab-org/gitlab/-/issues/425327+ - limited BE resources, focus on design.
2. Design: End-user Static Reachability UX/UI (#480356 - closed) - design only
3. Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed) - design only

typemaintenance

Team OKRs

OKR List

Planning Boards

• Delivery Board - columns are workflow labels
• Planning Board - columns are milestones
• Who's Working on What? - columns are individual team members
• Bug board - columns are severity and priority

---

• Set the Milestone (current Milestone)
• Update the Milestone link for the Delivery Board
• Set the Due Date for the end of the current Milestone