Skip to content

Security Insight 17.11 Planning Issue

Priority Features

Areas of focus DRI Delivery Scope for current milestone Completion Milestone Status (mid-milestone checkpoint)

Dependency list - Filter by specific version in... (&16431 - closed)

Epic board

stage: implementation

backend: @subashis

frontend: @lorenzvanherwaarden
  1. Add the ability to fetch versions with new Grap... (#521483 - closed) • Subashis Chakraborty • 18.0 (continuation from 17.10)
  2. Add the ability to filter dependencies by versi... (#513147 - closed) • Subashis Chakraborty • 17.11 • On track
  3. Add the ability to filter dependencies by versi... (#521496 - closed) • Subashis Chakraborty • 17.11 • On track
  4. Add the ability to filter dependencies based on... (#520585 - closed) • Subashis Chakraborty • 17.11 • On track
  5. Add querying for component versions (#521605 - closed) • Lorenz van Herwaarden • 17.11 • On track
  6. Add operators and translation logic to API in v... (#521607 - closed) • Lorenz van Herwaarden • 17.11
  7. Add querying for component versions on group-level (#526125 - closed)
 18.0
  1. On Track (from Needs Attention last week) for 18.0 delivery
  2. Risk raised last week is mitigated. Committed scope remains intact. We are fixing the project level implementation and will document an edge case.
  3. Latest update &16431 (comment 2433979330)

Add `Reachable Library` to Vulnerability Report... (&16510 - closed)

Epic board

stage: implementation

frontend: @charlieeekroon

backend: groupcomposition analysis

dependency: groupcomposition analysis
  1. [FE] Add "Reachable" to Vulnerability Report (#513995 - closed) • Zamir Martins, Charlie Kroon • 17.11 • On track
  2. [FE] Add "Reachable" To Vulnerability Details (#513989 - closed) • Zamir Martins, Charlie Kroon • 17.11 • On track
 17.11
  1. On Track - Dependency on groupcomposition analysis backend work
  2. Noted last week, an engineer on CA has volunteered to work on frontend, continuing MRs drafted in February. Our team is assisting with MR reviews.
  3. Latest update &15781 (comment 2431219412)

Support dependency graph visuals (&16815 - closed)

Epic board

stage: implementation

frontend: @sming-gitlab

backend: Infrastructure

dependency: groupsecurity infrastructure
  1. [FE] Integrate with API data for vulnerability ... (#519967 - closed) • Samantha Ming • 17.11 • On track
  2. [FE] Integrate with API data for Project depend... (#519965 - closed) • Samantha Ming • 17.11
  3. [FE] Integrate with API data for Group dependency (#524374 - closed) • Samantha Ming • 17.11 • Needs attention
  4. [Docs] Add dependency paths (#520266 - closed) • Ryan Lehmann • 17.11 • On track
  5. [FE] Add circular badge to dependency drawer (#520523 - closed) • Samantha Ming • 17.11 • On track
  6. [FE] Hide dependency_path_viewer (#521406 - closed) • Samantha Ming • 18.0 • On track
 18.0
  1. Frontend On Track for 18.0 delivery
  2. Dependency on groupsecurity infrastructure for backend.
  3. Latest update &16815 (comment 2426445798)

CycloneDX export for the project dependency list (#524733 - closed)

stage: refinement

backend @bwill
  1. CycloneDX export for the project dependency list (#524733 - closed) • Brian Williams • 17.11 • On track
 17.11
  1. On Track for 17.11
  2. Feature is enabled globally on gitlab.com. RPI draft is available gitlab-com/www-gitlab-com!138876 (merged).
  3. Latest update #524733 (comment 2435388299)

Time-based Vulnerability Retention Limits (&16629 - closed)

stage: implementation

frontend: @svedova

backend: Infrastructure

dependency: groupsecurity infrastructure
  1. [Archive Export] Implement archive export UI (#515510 - closed) • Savas Vedova • 17.11 • On track
  2. [FE] Display empty state for vulnerability arch... (#524084 - closed) • Savas Vedova • 17.11 • On track
 18.0
  1. Frontend On Track for 18.0 delivery
  2. Dependency on groupsecurity infrastructure for backend
  3. Frontend work remaining is for UI notifications on report and details page.
  4. Latest update &16629 (comment 2421620276)

Security Dashboard Upgrade - New Charts and Fil... (&16517)

stage: UX and Framework Consultation

frontend: @dpisek

backend: Infrastructure

dependency: groupsecurity infrastructure
  1. https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/51+s
 Q3
  1. On Track for Q3
  2. 17.11 will be consultation for UX and Analytics Framework only. No implementation is planned.

https://gitlab.com/gitlab-org/gitlab/-/issues/454794+

stage: implementation

backend: @uokeadu
  1. https://gitlab.com/gitlab-org/gitlab/-/issues/454794+
 17.11
  1. On Track for 17.11
  2. Frontend development is complete. Verification stage.
  3. Latest update https://gitlab.com/gitlab-org/gitlab/-/issues/454794#note_2430217668

Add PDF export of security reports (&16989 - closed)

Epic dashboard

stage: POC review / implementation

backend: @wandering_person
  1. Build proof of concept for Project PDF export o... (#517980 - closed) • Michael Becker • 17.10
  2. PDF base implementation (#524055 - closed) • Michael Becker • 18.0 • On track
  3. Legal review of Prawn licensing (#524059 - closed) • Michael Becker • 18.0 • On track
 Q2
  1. On Track for Q2
  2. 17.11 focus is the core PDF generator, and working with UX on final designs.
  3. Engineering capacity focus remains shifted to support a bug separate from this project.
  4. Latest update &16989 (comment 2436273698)

Migrate dependency filtering to GraphQL (#513524 - closed)

stage: refinement > implementation

frontend: @dpisek

backend: @dpisek
  1. Migrate dependency filtering to GraphQL (#513524 - closed) • David Pisek • 17.11
 TBD
  1. Epics for project and group are defined with implementation issues created. Working to align backend capacity starting %18.0
  2. Latest update #513524 (comment 2429040231)

Team member focuses

Name Focus Areas Capacity Notes

@bwill

backend
  1. CycloneDX export for the project dependency list (#524733 - closed)

@charlieeekroon

backend
  1. Update Report Type tooltip to "Scanner: Full sc... (#523720 - closed) • Charlie Kroon • 17.11 • Needs attention
  2. Add `Reachable Library` to Vulnerability Report... (&16510 - closed)

@subashis

backend
  1. Dependency list - Filter by specific version in... (&16431 - closed)
 75%

@wandering_person

backend
  1. Add PDF export of security reports (&16989 - closed)
  2. Investigate "Something went wrong" raised by VR (#497193 - closed)
 75%

@uokeadu

backend
  1. https://gitlab.com/gitlab-org/gitlab/-/issues/454794+ from 17.10
  2. Database migration to correct vulnerabilities i... (#523433 - closed) workflowblocked

@dpisek

frontend
  1. Security Dashboard Upgrade - New Charts and Fil... (&16517) consultation
  2. Migrate dependency filtering to GraphQL (#513524 - closed)

@lorenzvanherwaarden

frontend
  1. Dependency list - Filter by specific version in... (&16431 - closed)
  2. Add related vulnerabilities container to issue ... (#519695 - closed)
 70%

@svedova

frontend
  1. Time-based Vulnerability Retention Limits (&16629 - closed)
  2. Disable identifier filter when group has more t... (#517915)
  3. Remove banner to Vuln Report re: Auto-resolve p... (#521038 - closed)
  4. https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/68+
 75%

@sming-gitlab

frontend
  1. Support dependency graph visuals (&16815 - closed)

Secondary Projects and Issues

typefeature

Planned

  1. Remove banner to Vuln Report re: Auto-resolve p... (#521038 - closed) • Savas Vedova • 17.11 • On track frontend 17.11
  2. Split the "Tool" filter into separate filters f... (#503371 - closed) • Charlie Kroon • 17.11 • On track 17.10 frontend
  3. Disable identifier filter when group has more t... (#517915) • Unassigned • Backlog • On track frontend
  4. Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed) Stretch
    1. Add related vulnerabilities container to issue ... (#519695 - closed) • Lorenz van Herwaarden • 18.0 frontend backend
  5. https://gitlab.com/gitlab-org/gitlab/-/issues/523496+s groupstatic analysis backend support for MRs. Team support for rollout once testing is complete #523503 (closed)

Unplanned

  1. Proposal: Cap Occurrence and Project counts in ... (#521396 - closed) • Unassigned • Backlog - awaiting Product Management backend frontend

typemaintenance

  1. https://gitlab.com/gitlab-org/gitlab/-/issues/517985+ backend 17.11
  2. [Feature flag] Cleanup resolve_vulnerability_in_mr (#525066 - closed) • David Pisek • 18.0 • On track frontend

typebug

Planned

  1. Complete Inconsistent Display of Unknown Licenses Betwee... (#482764 - closed) • Ugo Nnanna Okeadu • 17.10 • On track 17.10 backend frontend rollout
  2. In progress Investigate "Something went wrong" raised by VR (#497193 - closed) • Michael Becker • Backlog • At risk backend
  3. Complete GitLab Security Policy Bot changed vulnerabilit... (#521907 - closed) • Brian Williams • 17.10 17.10 backend
  4. Complete Project Dependency List - Component filter list... (#521711 - closed) • Unassigned • 17.11
  5. On Hold Database migration to correct vulnerabilities i... (#523433 - closed) • Brian Williams • 18.1 • On track 17.11 backend

Unplanned

  1. Unable to filter group level vulnerability repo... (#471613 - closed) • Subashis Chakraborty • 18.1 backend
  2. Align Group-Level Dependency List with Latest S... (#524647) • Unassigned • Backlog backend workflowblocked
  3. Re-running a security scan job will increase th... (#512562 - closed) • Schmil Monderer • 18.2 severity2 groupsecurity infrastructure

New Items to Discuss

  1. ~~ Feature Request - Vulnerabilities Scan result A... (#513326) backend groupsecurity infrastructure to be prioritized by Infrastructure~~
  2. Consider removing dependency list project limit (#521942 - closed) backend frontend
  3. https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/68+ scheduled and assigned
  4. Add Scanner to Report Type column header. Add t... (#526093 - closed) frontend typefeature

What's on the horizon?

17.11 Release Post Candidates

  1. CycloneDX export for the project dependency list (#524733 - closed)
    1. gitlab-com/www-gitlab-com!138876 (merged)
  2. RPI: Export dependency list in CSV format (gitlab-com/www-gitlab-com!138674 - merged)
  3. https://gitlab.com/gitlab-org/gitlab/-/issues/454794+

Developer Advocacy

Features or maintenance items that the team would like to work on, where possible.

Prior items are now tracked in the internal slide deck.

Issue Why Type BE/FE Scope Advocates

Team OKRs

OKR List

Planning Boards

  • Set the Milestone (current Milestone)
  • Update the Milestone link for the Delivery Board
  • Set the Due Date for the end of the current Milestone
Edited by Neil McCorrison