Security Insights 18.0 Planning Issue

Priority Features and Maintenance

Areas of focus	Committed	DRI	Delivery Scope for current milestone	Completion Milestone	Status (mid-milestone checkpoint)
Dependency list - Filter by specific version in... (&16431 - closed) typefeature	🟢	stage: implementation backend: @subashis frontend: @lorenzvanherwaarden	Implementation for new DB field	18.1	🟢 On Track Aiming for 18.0 with revised DB plan. Latest update: &16431 (comment 2462707315)
Add PDF export of security reports (&16989 - closed) typefeature	🟢	stage: POC review / implementation backend: @wandering_person	DONE - Complete dependency evaluation (groups and technical) Legal review of Prawn licensing (#524059 - closed) PDF base implementation (#524055 - closed) • Michael Becker • 18.0 • On track	Q2	🟢 On Track for base generator implementation. We had project kickoff this week, which prompted a discussion around scope and prioritization that may change the direction. Awaiting direction from Product.
Support high performing CWE-78 and CWE-89 in vu... (#534307 - closed) typefeature	🟢	stage: implementation backend: @uokeadu 🟢 Dependency of groupstatic analysis	Support high performing CWE-78 and CWE-89 in vu... (#534307 - closed) Enable database-driven availability for AI-assi... (#499978 - closed)	18.0	🟢 On Track Development work for the first issue is complete. Documentation is in reviews. Sec Decomposition finalization is blocking database MRs currently. Migration will run once unblocked. Latest update #534307 (comment 2469378795)
Vulnerability Management utilizing ElasticSearch (&13510 - closed) MVC typefeature	🟢	stage: implementation frontend: @svedova backend: Infrastructure 🟡 dependency of : groupsecurity infrastructure	Integrate frontend with GraphQL APIs for Vulner... (#532716 - closed) Integrate frontend with GraphQL APIs for Vulner... (#532703 - closed) Centralize vulnerability report query string sy... (&15948 - closed)	18.0	🟢 On Track Scope has decreased with existing APIs being used. Frontend work is waiting on the query that will inform availability of ES. Latest update &13510 (comment 2467572926)
SPDX Export for the Dependency List at the Proj... (#535097) typefeature	🟡	stage: definition / refinement in 18.0 backend: @bwill	SPDX Export for the Dependency List at the Proj... (#535097) • Unassigned • Backlog	18.1	Definition is in progress
Migrate dependency list to GraphQL: Project-level (&17253 - closed) typemaintenance	🟢	stage: implementation frontend: @dpisek backend: @charlieeekroon	Add Vuex action to fetch dependencies via GraphQL (#527083 - closed) Add Vuex action to fetch dependencies via GraphQL (#527083 - closed) Create separate GraphQL type, resolver and inte... (#532476 - closed) Add support to sort-by-license to GraphQL endpoint (#527254 - closed) • Charlie Kroon • 18.1	18.0	🟢 On Track for scope defined for 18.0. Optimistically will be fully complete. Latest update &17253 (comment 2464568829)
https://gitlab.com/gitlab-org/gitlab/-/issues/526948+ spike customer	🟢	stage: spike backend: @bwill	Evaluate customer structure	18.0	✅ Complete Data provided to Product for analysis. Latest update https://gitlab.com/gitlab-org/gitlab/-/issues/526948#note_2457333150
Add API endpoint for Jira issue configuration (#454574 - closed) typefeature	🟡	stage: refinement backend: @bwill	Add API endpoint for Jira issue configuration (#454574 - closed) • Brian Williams • 18.0	18.0	🟢 On Track MR to add vulnerability fields is in review. Will require testing with multiple Jira issue workflows for vulnerabilities. Latest update #454574 (comment 2470338724)
Security Dashboard Upgrade - New Charts and Fil... (&16517) typefeature	🟢	stage: UX and Framework Consultation frontend: @dpisek dependency: groupsecurity infrastructure	https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/51+s API definition to support filter/group discussions &17413 (comment 2445224944)	Q3	🟢 On Track 18.0 is a continued consultation milestone. Engineering has provided proposed queries for Open Vulnerabilities over Time to aid in data and UX discussions. Latest update &16517 (comment 2470710936)
Enhanced Bulk Actions for the Vulnerability Report (&13216 - closed) typefeature	🟢	stage: implementation frontend: @lorenzvanherwaarden	Add related vulnerabilities container to issue ... (#519695 - closed) Add "Load more" pagination support for related ... (#535440 - closed) Verification and rollout	18.0	🟢 On Track Feature is enabled on a test project. Includes a new Related Vulnerabilities component in the issue view. Rollout phase next week. Latest update &13216 (comment 2452216578)
https://gitlab.com/gitlab-org/gitlab/-/issues/537067+ typefeature	🟢	stage: implementation backend: @uokeadu	https://gitlab.com/gitlab-org/gitlab/-/issues/537067+	18.0	🟢 Complete Latest update https://gitlab.com/gitlab-org/gitlab/-/issues/537067#note_2473790478

Priority Features - Rollout Phase

Areas of focus	Committed	DRI	Delivery Scope for current milestone	Completion Milestone	Status (mid-milestone checkpoint)
Support dependency graph visuals (&16815 - closed)	🟢	stage: implementation frontend: @sming-gitlab backend: Infrastructure dependency: groupsecurity infrastructure	Verification and Rollout	18.0	🟢 On Track Several UI improvement issues are in progress. Latest frontend update &16815 (comment 2450633719)
Time-based Vulnerability Retention Limits (&16629 - closed)	🟢	stage: rollout frontend: @svedova backend: Infrastructure dependency: groupsecurity infrastructure	Follow-up from "Add functionality to export vul... (#528448 - closed) • Savas Vedova • 18.0 Rollout support	18.0	🟢 On Track Rollout phase Latest frontend update &16629 (comment 2444515664)

Bugs / Secondary Features / Maintenance

Areas of focus	Committed	DRI	Delivery Scope for current milestone	Completion Milestone	Status (mid-milestone checkpoint)
Vulnerability Widget incorrectly shows existing... (#468324 - closed) typebug	🟢	stage: bug analysis backend: @bwill	Determine fix Implement fix	18.0	🟢 On Track In progress Latest update #468324 (comment 2454913513)
Surface errors from AutoResolveService (#534435 - closed) typemaintenance	🟢	stage: implementation backend: @bwill	Additional tracking	18.0	✅ Complete Latest update #534435 (comment 2467623542)
Add system note when a vulnerability is redetected (#523452 - closed) typefeature	🟢	stage: implementatoin backend: @bwill	Implementation and release	18.0	✅ Complete Development complete. Feature flag removal is deployed Latest update #523452 (comment 2468405830)
Investigate "Something went wrong" raised by VR (#497193 - closed) typebug	🟡	stage: implementation backend @wandering_person dependency: groupstatic analysis for verification	Determine fix Determine UAT and rollout #536007	~18.2	Fix is determined and in a draft MR. Will require collaboration with Static Analysis for bulk testing. Scheduling is TBD
Consider removing dependency list project limit (#521942 - closed) typefeature	🔴	stage: planning			Not scheduled. Awaiting prioritization and capacity.

Team member focuses

Name		Focus Areas	Capacity	Notes
@bwill	backend	Vulnerability Widget incorrectly shows existing... (#468324 - closed) Add API endpoint for Jira issue configuration (#454574 - closed) Add system note when a vulnerability is redetected (#523452 - closed) https://gitlab.com/gitlab-org/gitlab/-/issues/526948+ Surface errors from AutoResolveService (#534435 - closed)		At Capacity
@charlieeekroon	backend	Add `Reachable Library` to Vulnerability Report... (&16510 - closed) rollout support Migrate dependency list to GraphQL: Project-level (&17253 - closed)		At Capacity
@subashis	backend	Dependency list - Filter by specific version in... (&16431 - closed)		At Capacity
@wandering_person	backend	Add PDF export of security reports (&16989 - closed) Investigate "Something went wrong" raised by VR (#497193 - closed)		At Capacity
@uokeadu	backend	Support high performing CWE-78 and CWE-89 in vu... (#534307 - closed) Enable database-driven availability for AI-assi... (#499978 - closed)		At Capacity
@dpisek	frontend	Security Dashboard Upgrade - New Charts and Fil... (&16517) Migrate dependency list to GraphQL: Project-level (&17253 - closed)	75%	At Capacity
@lorenzvanherwaarden	frontend	Dependency list - Filter by specific version in... (&16431 - closed) Add related vulnerabilities container to issue ... (#519695 - closed)	75%	At Capacity
@svedova	frontend	Vulnerability Management utilizing ElasticSearch (&13510 - closed) Centralize vulnerability report query string sy... (&15948 - closed) Time-based Vulnerability Retention Limits (&16629 - closed) rollout support		At Capacity
@sming-gitlab	frontend	Support dependency graph visuals (&16815 - closed) Verify validity of secret detection findings (&13988) guidance and refinement support	75%	Some Capacity - dependent on refinement support

Secondary Projects and Issues

typefeature

Planned

1. Consider removing dependency list project limit (#521942 - closed) backend frontend
2. Duo VR - Missing vulnerability_description input (#526865 - closed) • Neil McCorrison, Michael Becker • 18.0 • On track backend

Unplanned

1. Disable identifier filter when group has more t... (#517915) frontend Lower priority than Vulnerability Management utilizing ElasticSearch (&13510 - closed) issues scheduled above. May go into 18.1.

typemaintenance

1. Surface errors from AutoResolveService (#534435 - closed) • Brian Williams • 18.0 backend ~"Priority::E1"
2. https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/68+ ~"Priority::E2"

typebug

Planned

1. Vulnerability Widget incorrectly shows existing... (#468324 - closed) • Brian Williams • 18.2 • At risk ~"Priority::P3"
2. Investigate "Something went wrong" raised by VR (#497193 - closed) • Michael Becker • Backlog • At risk @wandering_person

Unplanned

1. Unable to filter group level vulnerability repo... (#471613 - closed) • Subashis Chakraborty • 18.1 backend
2. Align Group-Level Dependency List with Latest S... (#524647) • Unassigned • Backlog backend workflowblocked

New Items to Discuss

1. Add Scanner to Report Type column header. Add t... (#526093 - closed) frontend typefeature
2. Referesh vulnerability_statistics following SAS... (#533973) backend bugfunctional

What's on the horizon?

18.0 Release Post Candidates

1. Enhanced Bulk Actions - Linked vulnerabilities on the issue page
2. SPDX export type
3. Expanded CWEs for Vulnerability Resolution

Developer Advocacy

Features or maintenance items that the team would like to work on, where possible.

Prior items are now tracked in the internal slide deck.

Issue	Why	Type	BE/FE	Scope	Advocates
Migrate dependency list to GraphQL: Project-level (&17253 - closed)	Removes tech-debt. Unblocks addition of project filters	typemaintenance	both		@sming-gitlab @dpisek @lorenzvanherwaarden
https://gitlab.com/gitlab-com/security-risk-management-stage/-/issues/68+	Re-inventory of implementation and verification projects				@nmccorrison
Secure section terminology (#521394 - closed)	Maintain consistency in Secure terminology	typemaintenance	FE		@charlieeekroon
Replace remediation MR creation logic for LLM d... (#536007)	VR diff/patch logic has several identified bugs. We are advocating for a simplification and rewrite of the code. This requires a slow rollout with framework validation.	typefeature	BE		@wandering_person

Team OKRs

OKR List

Planning Boards

• Delivery Board - columns are workflow labels
• Planning Board - columns are milestones
• Who's Working on What? - columns are individual team members
• Bug board - columns are severity and priority

---

• Set the Milestone (current Milestone)
• Update the Milestone link for the Delivery Board
• Set the Due Date for the end of the current Milestone