Instrumentation for Vulnerability Severity Change

Why are we doing this work

From https://gitlab.com/gitlab-data/product-analytics/-/issues/2588 Instrumentation is needed to track manually changing vulnerability Status and Severity

Documentation

• https://docs.gitlab.com/user/application_security/vulnerability_report/#change-or-override-vulnerability-severity

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Note: Each event should include the vulnerability_id to allow for referential tracking.

• backend Implement a service Vulnerabilities::ChangesTrackingService to generalise change tracking for vulnerabilities.

• backend analytics instrumentation Track state changes by handling the vulnerability_change event labeled vulnerability_change_severity in Vulnerabilities::BulkSeverityOverrideService, utilising Vulnerabilities::ChangesTrackingService.

Example implementation: Tracks the merge request created from vulnerabi... (!170152 - merged) • Subashis Chakraborty • 17.6

Verification steps

• Verify the presence of the vulnerability_changed event with the label vulnerability_change_severity in Tableau.