### Problem to solve In certain cases users want to change the default severity levels of vulnerabilities. For instance, the severity as set by one of the Secure scanners may be lower than organization thinks because of their particular environment or setup. In this case, they would want to set severity higher such that it gets proper attention during triage and remediation. ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Proposal Allow a user to manually override the severity on the vulnerability report and the vulnerability details page. Record the changes on the vulnerability details page history and as an audit event. Reflect the updated severity everywhere severity is displayed within GitLab (for MVC/phase 1, this is the vulnerability report and the vulnerability details page). ### Design https://gitlab.com/gitlab-org/gitlab/-/issues/508722/ ### Scope #### Phase One * Severity can be manually adjusted to one of the GitLab [vulnerability severity levels](https://docs.gitlab.com/ee/user/application_security/vulnerabilities/severities.html): * Critical * High * Medium * Low * Info * Unknown * While manually overriding a severity from the vulnerability report, the user can select one, many, or all vulnerabilities displayed on one page (up to 100) * A visual indication on the vulnerability report designates that a vulnerability's severity has been overridden * A manual severity adjustment is not overwritten by subsequent scanner runs for this same occurrence/vulnerability * Severity can be adjusted multiple times. Every change is recorded in the vulnerability details history. * An audit event is recorded for all adjustments noting what the severity was changed to and from and the user who made the change #### Phase Two https://gitlab.com/groups/gitlab-org/-/epics/15839+ * **Once automated overrides have been built, manual overrides will take precedence over automated ones.** For example, if a vuln's Medium severity is updated due to a severity override policy and becomes a `low`, an individual could later update the severity again to `High`, in this case, `High` becomes the severity because the override was performed manually. ### Permissions and Security * Only [Maintainer+](https://docs.gitlab.com/ee/user/permissions.html#application-security) role can adjust severity * [Custom permission](https://docs.gitlab.com/ee/user/custom_roles/abilities.html#vulnerability-management) [`admin_vulnerability`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121534) may also adjust severity <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->