<!--The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution.--> # Release notes <!--What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). "--> # Problem to solve <!--What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)."--> Managing the noise around detected vulnerabilities can be a challenge for application security teams. Making sense of what to prioritize and what must be fixed now vs what can be fixed later is a daily challenge. As a result, often customers have a system for profiling risk in their company and defining rules around what to fix and when. A common approach is to use SLAs based on factors such as severity. An example flow might be: * Fix all criticals before merging/deploying an application * Fix all high severity vulnerabilities within 30 days * Fix all medium severity vulnerabilities within 60 days This epic explores how to better satisfy workflows for managing SLAs for vulnerabilities with GitLab. # Intended users <!--Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ 1. [Parker, Product Manager](/handbook/product/personas/#parker-product-manager) 1. [Delaney, Development Team Lead](/handbook/product/personas/#delaney-development-team-lead) 1. [Presley, Product Designer](/handbook/product/personas/#presley-product-designer) 1. [Sasha, Software Developer](/handbook/product/personas/#sasha-software-developer) 1. [Priyanka, Platform Engineer](/handbook/product/personas/#priyanka-platform-engineer) 2. [Janell, Enablement Advocate](/handbook/product/personas/#janell-enablement-advocate) 1. [Sidney, Systems Administrator](/handbook/product/personas/#sidney-systems-administrator) 1. [Rachel, Release Manager](/handbook/product/personas/#rachel-release-manager) 1. [Simone, Software Engineer in Test](/handbook/product/personas/#simone-software-engineer-in-test) 1. [Allison, Application Ops](/handbook/product/personas/#allison-application-ops) 1. [Ingrid, Infrastructure Operator](/handbook/product/personas/#ingrid-infrastructure-operator) 1. [Dakota, Application Development Director](/handbook/product/personas/#dakota-application-development-director) 1. [Amy, Application Security Engineer](/handbook/product/personas/#amy-application-security-engineer) 1. [Isaac, Infrastructure Security Engineer](/handbook/product/personas/#isaac-infrastructure-security-engineer) 1. [Alex, Security Operations Engineer](/handbook/product/personas/#alex-security-operations-engineer) 1. [Cameron, Compliance Manager](/handbook/product/personas/#cameron-compliance-manager)--> # User experience goal Scan result policies that set an SLA based on severity do not translate details into the Vulnerability report. A vulnerability is ignored for 30 days based on the policy rules (e.g. ignore findings with severity High for 30 days). The next step would require security teams to create an issue and add a due date. If the finding is not resolved in 30 days, security policies would begin blocking the MR. This information wouldn't be transparent to teams triaging in the vuln report today. When a finding is automatically ignored by a Security policy, the vulnerability can be merged into the default branch. The finding could be set to Confirmed, and we could automate creation of an issue with the SLA based on the policy. Solution TBD [Workflow Diagram 1](https://gitlab.com/groups/gitlab-org/-/uploads/b54c295c0aa952de1573aae13de92f72/previously-existing-workflow.png) [Workflow Diagram 2](https://gitlab.com/groups/gitlab-org/-/uploads/f08347d9b6f1e7f4ee360dbfe3fc30b3/new-vuln-workflow.png) # Proposal <!--How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey--> Policies today allow you to set an SLA for vulnerabilities matching a specific criteria. For example, if a Medium severity finding is detected, you can allow the Medium sev vulns be merged _without_ blocking for X days (e.g. 30 days). After 30 days, the policy will _begin_ to block MRs in that project requiring the vulnerability to be resolved before merging. In the scope of this epic, we should provide better integration with the vulnerability report and more refined "action" for handling exceptions with SLAs. This relates to https://gitlab.com/groups/gitlab-org/-/epics/16284 but is an iterative enhancement focused on SLA/Due dates of exceptions. When a policy sets criteria such as `30 day SLA` for security findings that match `Medium` severity, today policies will ignore these findings and will not block merge requests. After 30 days pass, MRs in the project will be blocked if the vulnerability has not been addressed, requiring it to be remediated. We should ensure policies make clear that the `Medium` finding is detected, has a rule setting a 30 day SLA, and requiring action, e.g. create a tracking GitLab issue with due date of 30 days. In the vulnerability report, we could mark the vuln as `Confirmed` and establish a link to the tracking issue. We may reconsider the action in the MR, perhaps instead alerting Developer and AppSec teams if vulnerabilities have exceeded SLA, allowing them to action this as they'd desire. And/or we may continue optionally defining the policy to block if vulns fall out of SLA. ### [:pear: FigJam](https://www.figma.com/board/Nx2drOUX5wRXilQSi32OaK/SLA-based-workflow-for-MR-approval-policies?node-id=0-1&p=f&t=mTqVnH6SdGNRScEr-0) # Further details <!--Include use cases, benefits, goals, or any other details that will help us understand the problem better.--> # Permissions and Security <!--What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)? Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html * [ ] Add expected impact to members with no access (0) * [ ] Add expected impact to Guest (10) members * [ ] Add expected impact to Reporter (20) members * [ ] Add expected impact to Developer (30) members * [ ] Add expected impact to Maintainer (40) members * [ ] Add expected impact to Owner (50) members Please consider performing a threat model for the code changes that are introduced as part of this feature. To get started, refer to our Threat Modeling handbook page https://about.gitlab.com/handbook/security/threat_modeling/#threat-modeling. Don't hesitate to reach out to the Application Security Team (`@gitlab-com/gl-security/appsec`) to discuss any security concerns.--> # Documentation <!--See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/workflow.html * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html--> # Availability & Testing <!--This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the Quality Engineering quad planning and test planning processes and reach out to your counterpart Software Engineer in Test for assistance. Quad Planning: https://about.gitlab.com/handbook/engineering/quality/quality-engineering/quad-planning Test Planning: https://about.gitlab.com/handbook/engineering/quality/quality-engineering/test-engineering/#test-planning--> # Available Tier <!--This section should be used for setting the appropriate tier that this feature will belong to. Pricing can be found here: https://about.gitlab.com/pricing/ * Free * Premium/Silver * Ultimate/Gold--> # Feature Usage Metrics <!--How are you going to track usage of this feature? Think about user behavior and their interaction with the product. What indicates someone is getting value from it? Create tracking issue using the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md--> # What does success look like, and how can we measure that? <!--Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. Create tracking issue using the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md--> # What is the type of buyer? <!--What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#three-tiers--> # Is this a cross-stage feature? <!--Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features--> # What is the competitive advantage or differentiation for this feature? # Related Issues * https://gitlab.com/gitlab-org/gitlab/-/issues/479163+ # Links / references <!--Label reminders - you should have one of each of the following labels. Use the following resources to find the appropriate labels: - Use only one tier label choosing the lowest tier this is intended for - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/--> <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION-->