Security Insight 17.9 Planning Issue

Summary

Areas of focus	DRI	Delivery Scope for current milestone	Completion Milestone	Status (mid-milestone checkpoint)
typefeature Support Filter by Identifier for group level (#508713 - closed)	stage: implementation backend: @wandering_person frontend: @svedova	Enable for Groups	%17.9	On Track Backend is complete. Frontend MR to add to UI is in review. Latest update #508713 (comment 2319959866)
typefeature Efficient Dependency & Container Vulnerability ... (&11544 - closed)	eng: @svedova	EPSS, CVSS, KEV support for single vuln page. Waiting for GraphQL addition !177071 (merged). See &11544 (comment 2284618867)	%17.9	On Track Backend and Frontend are complete. Rolling out to test projects this week. Latest update &11544 (comment 2328920396)
typefeature Implement EPSS / KEV / CVSS Filters (gitlab-com&2480 - closed)	stage: spike backend: @bwill	Filtering requires 3 new indices. We need to first understand our capabilities and if we can add these under the current database constrains. We will refine the first backend issue as a spike - [BE] [Post-MVC] Add support for filtering by EPSS (#511286) • Unassigned • Backlog		Spike is complete Infrastructure has shared their analysis and plan to expand filtering capabilities. Waiting for scheduling &13510 (closed)
typefeature Add `Reachable Library` to Vulnerability Report... (&16510 - closed)	stage: implementation frontend: @sming-gitlab	Add Reachable to Vulnerability Report and Details pages. [FE] Add "Reachable" to Vulnerability Report (#513995 - closed) [FE] Add "Reachable" To Vulnerability Details (#513989 - closed) backend work scheduled for 17.10 #513990 (closed) #513990 (closed) Out of scope: Filtering	%17.10	N/A for 17.9 Backend work is scheduled for 17.10. Optimistically we can implement frontend in 17.10.
typefeature Dependency list - Filter by specific version in... (&16431 - closed) • Subashis Chakraborty, Lorenz van Herwaarden • On track	stage: implementation frontend: @lorenzvanherwaarden backend: @subashis	Filter by component version	%17.9	Needs Attention Originally scoped to support < > operators, while it may only be possible to support EQ. This scope is additionally prioritized following the Enhanced Bulk Actions below. The team is discussing a revised proposal and will share this week. Latest update &16431 (comment 2326528127)
typefeature Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed)	stage: implementation backend: @subashis frontend: @lorenzvanherwaarden	17.9 - Bulk attach a vulnerability to an existing issue #408470 (closed) 17.9 - Bulk attach to a vulnerability to a new issue #267589 (closed) Unplanned - Bulk attach a vulnerability to an existing Jira issue		On Track Attach to existing issue is in verification. Bulk attach to new issue has started backend. Latest update &13216 (comment 2326519138)
typefeature https://gitlab.com/gitlab-org/gitlab/-/issues/425327+	stage: design designer: @beckalippert			Awaiting scheduling for refinement and implementation
typefeature Export dependency list in CSV format (#435843 - closed)	stage: implementation backend: @bwill frontend: TBD - likely 17.10	Email delivery for dependency list export (#513149 - closed) • Brian Williams • 17.11 • On track Export dependency list in CSV format (#435843 - closed) • Brian Williams • 17.10 • On track https://gitlab.com/gitlab-org/gitlab/-/issues/454794+s		Dependency List On Track Email delivery is complete and being tested. Verified on /gitlab projects. Latest update #513149 (comment 2328552480) Work completed to expand how exports are generated and stored Moving to CSV generation. Latest update #435843 (comment 2316342013) Vulnerability Report On Track Implementation has started, but is prioritized lower than other objectives in the milestone.
typefeature Dependency list - Component Filter at the Proje... (&16490 - closed)	stage: implementation backend: @wandering_person frontend: @sming-gitlab	This is the first filter to be added to the project dependency list. It will take additional work to implement the scaffolding for search.		On Track Feature is complete and enabled by default for 17.9. Documentation updated. Latest update &16490 (comment 2322231883)
typemaintenance Inconsistent Display of Unknown Licenses Betwee... (#482764 - closed)	stage: bug fix backend: @uokeadu			At Risk for 17.9 due to incoming requirements and design updates. Development has started. The team is getting help on setting up test projects to replicate the varied examples. Latest update: #482764 (comment 2320273483)
typemaintenance https://gitlab.com/groups/gitlab-org/-/epics/15372+	groupsecurity infrastructure	https://gitlab.com/gitlab-org/gitlab/-/issues/512192+s		Closed. Was done by groupsecurity infrastructure
typefeature Split the "Tool" filter into separate filters f... (#503371 - closed)	stage: implementation fullstack: @charlieeekroon			On Track - Slightly Confident First MR to update column header is merged. Second MR to separate out Scanner has started review. Third/final MR to add Report Type has not started. Spike created for group report support. Latest update #503371 (comment 2326242485)
typebug Require a comment when dismissing vulnerabiliti... (#451480 - closed)	stage: implementation frontend: @lorenzvanherwaarden			Complete Comment is now required when dismissing individual Vulnerability and Finding Docs updated Final update #451480 (comment 2317540665)
typefeature https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/19+	stage: design design: @beckalippert frontend consult: @svedova @dpisek	https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/47+ @beckalippert to review and define which widgets to start with		Started infrastructure discussion Gap analysis for UI is complete. First 4 components have been identified. Began weekly project sync between groupsecurity insights groupsecurity infrastructure Initial action items to determine data store requirements drafted at https://gitlab.com/gitlab-org/gitlab/-/issues/515373+

Team member focuses

Name		Focus Areas	Notes
@bwill	backend	Export dependency list in CSV format (#435843 - closed) [BE] [Post-MVC] Add support for filtering by EPSS (#511286) • Unassigned • Backlog	At capacity
@charlieeekroon	backend	Add commit link that removed vulnerability (#372799 - closed) • Brian Williams • 17.9 • On track Split the "Tool" filter into separate filters f... (#503371 - closed) • Charlie Kroon • 17.11 • On track	At capacity
@subashis	backend	Dependency list - Filter by specific version in... (&16431 - closed) Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed)	At capacity
@wandering_person	backend	Support Filter by Identifier for group level (#508713 - closed) Dependency list - Component Filter at the Proje... (&16490 - closed)	At capacity
@uokeadu	backend	Artifact download for security scans in merge r... (#420907 - closed) • Ugo Nnanna Okeadu • 17.8 (closed) Inconsistent Display of Unknown Licenses Betwee... (#482764 - closed) • Ugo Nnanna Okeadu • 17.10 • On track Extract the logic for storing pending/loaded re... (#271580 - closed) • Ugo Nnanna Okeadu • 17.9 https://gitlab.com/gitlab-org/gitlab/-/issues/454794+s	At capacity
@dpisek	frontend	https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/47+s AI-Resolution on the MR widget: Use mutation ob... (#510322 - closed) • David Pisek • 17.9	At capacity
@lorenzvanherwaarden	frontend	Dependency list - Filter by specific version in... (&16431 - closed) Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed) Require a comment when dismissing vulnerabiliti... (#451480 - closed) • Lorenz van Herwaarden • 17.9	At capacity
@svedova	frontend	https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/47+s Support Filter by Identifier for group level (#508713 - closed) • Savas Vedova, Michael Becker • 17.9 • At risk - frontend almost complete Efficient Dependency & Container Vulnerability ... (&11544 - closed) - frontend almost complete	At capacity
@sming-gitlab	frontend	[FE] End-user Static Reachability - Add `Reacha... (#512548 - closed) • Samantha Ming • 17.9 (moved to 17.10) Dependency list - Component Filter at the Proje... (&16490 - closed)	At capacity

Projects

Filter by Identifier on the Vulnerability Report (gitlab-org#13340)

Filter by Identifier on the Vulnerability Report (&13340)

Design: Show EPSS, CVSS, KEV for CVEs (#427441 - closed)

Add filters for EPSS,CVSS, KEV

Duo Vulnerability Resolution: Gap Analysis for ... (gitlab-org#16060 - closed) • Meir Benayoun • At risk

https://gitlab.com/groups/gitlab-org/-/epics/16066+

Filter/Search Dependency List (Project / Group / JSON API / GraphQL API)

1. Dependency list - Filter by specific version in... (#504984 - closed)
2. Dependency list - Component Filter at the Proje... (#493775 - closed)

Vulnerability report and Dependency list exporting (&16290)

1. https://gitlab.com/gitlab-org/gitlab/-/issues/425327+s
2. Dependency list exports in CycloneDX SBoM forma... (#407453 - closed) • Unassigned • Backlog

Additional Risk Factors

Design: End-user Static Reachability UX/UI (#480356 - closed) • Becka Lippert, Neil McCorrison+ • 17.8

Issue Creation Functionality

Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed) • Subashis Chakraborty, Lorenz van Herwaarden

typemaintenance

typemaintenance focus

1. Extract the logic for storing pending/loaded re... (#271580 - closed) • Ugo Nnanna Okeadu • 17.9

typebug focus

1. Require a comment when dismissing vulnerabiliti... (#451480 - closed)
2. Split the "Tool" filter into separate filters f... (#503371 - closed)
3. Remove ignore rule of `vulnerability_count` col... (#497136 - closed) - Not yet planned for work -cc: @nmccorrison
4. Failure in ee/browser_ui/10_govern/vulnerabilit... (#499388) - Not yet planned for work -cc: @nmccorrison
5. Dependencies Export fails to validate SBOM usin... (#512133) - Not yet planned for work -cc: @nmccorrison

Scope being worked on by other teams

1. [E2E] Create an E2E spec to test auto resolve f... (#512349) • Unassigned

What's on the horizon?

typemaintenance

Developer Advocacy

Features or maintenance items that the team would like to work on, where possible.

Issue	Why	Type	BE/FE	Scope	Advocates
[Docs] Document how to generate vulnerabilities... (#509332) • Savas Vedova, Charlie Kroon	It can be difficult to properly test locally. Especially new datapoints like our scoring metrics.	typemaintenance	documentation	Small	@svedova @charlieeekroon
Migrate dependency page away from Vuex (#514535) • Samantha Ming • Backlog	Continuing to use a deprecated stack increases risk and slows down feature delivery. Let's migrate away now while the disruption is low.	typemaintenance	frontend & backend	Medium	@sming-gitlab

Team OKRs

OKR List

Planning Boards

• Delivery Board - columns are workflow labels
• Planning Board - columns are milestones
• Who's Working on What? - columns are individual team members
• Bug board - columns are severity and priority

---

• Set the Milestone (current Milestone)
• Update the Milestone link for the Delivery Board
• Set the Due Date for the end of the current Milestone