Security Insights 18.2 Planning Issue

Priority Features and Maintenance

Areas of focus Committed DRI Delivery Scope for current milestone Completion Milestone Status (mid-milestone checkpoint)

Support dependency graph visuals (&16815 - closed)

🟢

frontend: @lorenzvanherwaarden

dependency of: groupsecurity infrastructure

commit slide
  1. [FE] Switch to GraphQL for Dependency Paths and... (#548936 - closed)
 18.2

🟡 frontend work is complete. Awaiting release go-ahead

Add PDF export of Security Reports

typefeature

🟢

stage: implementation

backend: @wandering_person

frontend: @sming-gitlab

dependency: no

commit slide
  1. Project level "Vulnerabilities Over Time" module (#524056 - closed)
  2. Group level "Vulnerabilities Over Time" module (#524057 - closed)
  3. Group level "Project Security Status" module (#538851 - closed)
  4. [FE] Implement SVG export for "vulnerabilities ... (#546165 - closed)
 18.2

🟢 COMPLETE release post item

Security Dashboard Upgrade - New Charts and Fil... (&16517)

typefeature

🟢

stage: implementation

frontend: @dpisek @lorenzvanherwaarden

backend: @charlieeekroon @subashis

dependency: groupsecurity infrastructure

commit slide
  1. Security Dashboard - Chart 2 Multi Project Scop... (&17413 - closed)
  2. Security Dashboard Backend – GraphQL Support, F... (&17874 - closed)
  3. Security Dashboard - Chart 2 Project-Scope: Ope... (&17076 - closed)
 Q3 / 18.5

🟢 On Track. Continues to 18.5.

Support Reachability Filters on Vulnerability R... (&17251 - closed)

typefeature

🟢

stage: implementation

frontend: @svedova

dependency of: groupcomposition analysis

commit slide
  1. [frontend] UI for Reachability filter on the Vu... (#543346 - closed)
 18.2

🟢 On Track for .com release in 18.2

MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed)

🟢

stage: implementation

backend: @bwill

frontend: @svedova

dependency of: groupstatic analysis

commit slide
  1. Prepare GLAS diff-based scan data for rails fro... (#543637 - closed)
  2. Persist GLAS diff-based scan in rails backend (#543636 - closed)
  3. Display GLAS diff-based scan in MR security widget (#543638 - closed)
  4. Display GLAS diff-based scan in pipeline securi... (#543639 - closed)
 18.3

🟡 Needs attention. Scope change affecting backend and frontend may cause this to go into 18.4.

Priority Features - Rollout Phase

Areas of focus Committed DRI Delivery Scope for current milestone Completion Milestone Status (mid-milestone checkpoint)

Database migration to correct vulnerabilities incorrectly transitioned by auto-resolve 

🟢

backend: @subashis @bwill

 Support CR stage 18.1

🟢 COMPLETE

Migrate dependency list to GraphQL: Project-level (&17253 - closed)

typemaintenance

🟢

backend: @charlieeekroon

frontend: @dpisek

 Rollout on internal test projects 18.0

🟢 COMPLETE for now. On hold until testing can be prioritized.

Bugs / Secondary Features / Maintenance

Areas of focus Committed DRI Delivery Scope for current milestone Completion Milestone Status (mid-milestone checkpoint)

Vulnerability Widget incorrectly shows existing... (#468324 - closed)

typebug severity3

🟢

stage: bug analysis

backend: @bwill
  1. Bug fix
 18.1

🟢 COMPLETE

Investigate and find the reason why vulnerabili... (#549381)

typebug severity3

🟢

stage: bug fix

backend: @subashis

 18.2

🟡 deprioritized due to capacity limitations

Vulnerability severity is sometimes not updated... (#548960 - closed)

typebug severity2

🟢

stage: bug fix

backend: @bwill
  1. Bug fix

🟢 COMPLETE

Error during SBoM ingestion: Validation failed:... (#543113 - closed)

typebug severity2

🟢

stage: bug fix

backend: @subashis
  1. Bug fix
 18.2

🟡 priority for 18.3

https://gitlab.com/gitlab-org/gitlab/-/issues/546418+

typebug severity3

🟢

stage: implementation

frontend: @dpisek
18.2

🟢 COMPLETE

Group Security Dashboard - Project security sta... (#545479 - closed)

typebug severity3

🟢

stage: implementation

backend: @uokeadu
  1. Bug fix
 18.2

🟡 workflowin review

Implement EPSS / KEV / CVSS Filters (&18012)

typefeature

backend: @subashis

frontend: 18.3

stage: knowledge transfer on ES integration / POC implementation
  1. [BE] [Post-MVC] Add support for filtering by KEV (#511287)
 18.4

🟡 focus shifted to Secret Validity filtering in 18.3

Manual vulnerability severity overrides - Hando... (#524406 - closed)

knowledge-sharing

🟡 material

stage: knowledge transfer

backend: @uokeadu

frontend: @svedova

dependency: groupsecurity platform management

 18.2

🟢 COMPLETE

Remaining scope tracked in new epic Post-MVC: Manual Vulnerability Severity Overrides (&18344)

Estimation Projects

Areas of focus DRI Completion Milestone Status (mid-milestone checkpoint)
Estimation Issue: Implement EPSS / KEV / CVSS F... (#547746 - closed) backend: @subashis 18.4
Add Reachable to Vulnerability Report CSV Export (#517840) backend: TBD Q3 / TBD
Estimation: Filter Data to Releasing Branches (#547798) backend: TBD Q4 / TBD
Full list of estimation issues powered by GLQL 
display: table
fields: title, assignees 
query: label = "group::security insights" AND label = "estimation:needed"

Team member focuses

Name Focus Areas Capacity Notes

@bwill

backend
  1. MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed)
  2. Vulnerability severity is sometimes not updated... (#548960 - closed)
 75% At capacity

@charlieeekroon

backend
  1. Security Dashboard Upgrade - New Charts and Fil... (&16517)
 100% At capacity

@subashis

backend
  1. Database migration to correct vulnerabilities i... (#523433 - closed) - CR support
  2. Security Dashboard Upgrade - New Charts and Fil... (&16517) - start backend engagement
  3. GSoC mentoring
  4. Implement EPSS / KEV / CVSS Filters (&18012) - refinement / POC
 At capacity

@wandering_person

backend
  1. Add PDF export of security reports (&16989 - closed)
  2. Fix `VulerabilityType.identifiers` field when ... (#541995 - closed)
 75% At capacity

@uokeadu

backend
  1. Group Security Dashboard - Project security sta... (#545479 - closed)
  2. Add instrumentation tracking of PDF Report usag... (#547599)
  3. Instrumentation for Vulnerability Status Change (#549832)
  4. https://gitlab.com/gitlab-org/gitlab/-/issues/537459+ 18.1
  5. Manual vulnerability severity overrides - Hando... (#524406 - closed)
  6. Finalize migrations - probably 18.3
 100% Full capacity

@dpisek

frontend
  1. Security Dashboard Upgrade - New Charts and Fil... (&16517)
  2. https://gitlab.com/gitlab-org/gitlab/-/issues/546418+
 100% At capacity

@lorenzvanherwaarden

frontend
  1. [FE] Switch to GraphQL for Dependency Paths and... (#548936 - closed)
  2. Security Dashboard Upgrade - New Charts and Fil... (&16517) start frontend engagement
 75% At capacity

@svedova

frontend
  1. [frontend] UI for Reachability filter on the Vu... (#543346 - closed)
  2. Remove OWASP 2021 values from `VulnerabilityOwa... (#539250 - closed)
  3. Manual vulnerability severity overrides - Hando... (#524406 - closed)
  4. Use design tokens instead of hardcoding values (#549102 - closed) • Savas Vedova • 18.2
  5. Make banner dismissable (#547829 - closed) • Savas Vedova • 18.2
  6. Handle textarea resize when searched text is hi... (#524289) • Savas Vedova • Backlog
  7. Add close button (#549067 - closed) • Savas Vedova • 18.2
  8. MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed) 18.3 delivery
 At capacity

@sming-gitlab

frontend
  1. Add PDF export of security reports (&16989 - closed)
  2. Verify validity of secret detection findings (&13988) guidance and refinement support
 60% At capacity

Secondary Projects and Issues

typefeature

Planned / Planning

  1. Use graphql search for project names for attach... (#521600 - closed) 🟢 complete
  2. Add Scanner to Report Type column header. Add t... (#526093 - closed) - workflowrefinement

Unplanned

  1. Claude 4.5 Sonnet Vulnerability Resolution Roll... (#545698) - dependency on groupstatic analysis for CWE testing

typemaintenance

Unplanned

  1. Migrate dependency filtering to GraphQL: Group-... (&17254)
  2. [Feature flag] Cleanup version_filtering_on_pro... (#548592 - closed) • Subashis Chakraborty • 18.2
  3. [Feature flag] Cleanup version_filtering_on_gro... (#548593 - closed) • Subashis Chakraborty • 18.2

typebug

Planned / Planning

  1. https://gitlab.com/gitlab-org/gitlab/-/issues/550123+ severity2
  2. https://gitlab.com/gitlab-org/gitlab/-/issues/550347+ severity2

Unplanned

  1. Inconsistent badges on dismissed vulnerabilities (#549715) severity2
  2. Referesh vulnerability_statistics following SAS... (#533973) - group assignment / capacity
Full bug list powered by GLQL 
display: table
fields: title, labels("Severity::*"), healthStatus, assignees 
query: label = "group::security insights" AND label = "type::bug" AND milestone = "18.2"

New Items to Discuss

What's on the horizon?

18.2 Release Post Candidates

  1. Add PDF export of security reports (&16989 - closed)

Developer Advocacy

Features or maintenance items that the team would like to work on, where possible.

Prior items are now tracked in the internal slide deck.

Issue Why Type BE/FE Scope Advocates
Migrate dependency filtering to GraphQL: Group-... (&17254) Group level support now that Project level is complete. Removes tech-debt. Unblocks addition of project filters typemaintenance both @sming-gitlab @dpisek @lorenzvanherwaarden
Verification projects inventory Re-inventory of implementation and verification projects @nmccorrison
Secure section terminology (#521394 - closed) Maintain consistency in Secure terminology typemaintenance FE @charlieeekroon

Resources

  1. Roadmap slide
  2. Roadmap sheet
  3. Estimations board
  4. Bugs by type | Bugs by severity
  5. Milestone board
Edited by 🤖 GitLab Bot 🤖