Support Reachability Filters on Vulnerability Report (#17251) · Epics · Epics · GitLab.org

Support Reachability Filters on Vulnerability Report

## Release Notes Description of feature to be used in the ~"release post item" ([docs](https://handbook.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-instructions)) ## Problem to Solve AppSec and Developers alike may want to search for CVEs based on exploitability and severity parameters. This will also support reporting click throughs and policy management (like SLAs) in the future. **User Story** As application security, I want to be able to identify true positive, high risk vulnerabilities that are important to fix according to my security policies. Reachable vulnerabilities are * Support reachability filter on the vulnerability report (show me if a CVE is in a library that is reachable or not) * Support filter on the project and group levels Out of scope due to technical dependency * Support reachability filter on the dependency list (show me if a library is reachable or not) Design: https://gitlab.com/gitlab-org/gitlab/-/issues/480356/designs/design_1738225486116.png ![image.png](/uploads/069ac31357d0f3be26c125326db781ca/image.png){width="1149" height="741"} ## Dependencies * Dependency of: ~"group::composition analysis" [Commit slide](https://docs.google.com/presentation/d/1ABoGLJkQZNs3Y92NELNrRvjsbo_PNEjGMyCRVz2sU2A/edit#slide=id.g3321f028e83_17_5252) * Dependency on: ~"group::security infrastructure" Elasticsearch integration ## Self-managed Support New filters leverage https://gitlab.com/groups/gitlab-org/-/epics/13510+. Elasticsearch is available across SaaS/gitlab.com and Dedicated. Self-managed instances have several considerations (technical and licensing). There is no timeline for self-managed support. SSOT issue is https://gitlab.com/gitlab-org/gitlab/-/issues/525484+ ## Functional Requirements ### Page Level Support * [x] Project * [x] Group * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [x] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [ ] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [ ] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [ ] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## In Scope 1. Add Reachability filter to vulnerability report ## Out of Scope 1. List of items agreed to be out of scope ## Outstanding Questions <table> <tr> <th>Question</th> <th>Assignee</th> <th>Priority</th> <th>Blocking?</th> </tr> <tr> <th></th> <th></th> <th></th> <td></td> </tr> <tr> <th></th> <th></th> <th></th> <td></td> </tr> </table> ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects ## Implementation Plan <table> <tr> <th>Type</th> <th>Description</th> <th>Issue</th> <th>BE/FE</th> <th>Dependency</th> <th>Milestone</th> </tr> <tr> <td>Elasticsearch</td> <td>Syncing of the vulnerability reachability to the ES index</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/543490+ https://gitlab.com/gitlab-org/gitlab/-/issues/543491+ https://gitlab.com/gitlab-org/gitlab/-/issues/543492+ https://gitlab.com/gitlab-org/gitlab/-/issues/543493+ https://gitlab.com/gitlab-org/gitlab/-/issues/543494+ </td> <td> ~"group::security infrastructure" </td> <td></td> <td> %"18.1" </td> </tr> <tr> <td>Backend Rails</td> <td>Vulnerability query builder & Vulnerability ES Finder</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/543495+ https://gitlab.com/gitlab-org/gitlab/-/issues/543496+ </td> <td> ~"group::composition analysis" ~backend </td> <td>ES index</td> <td></td> </tr> <tr> <td>GraphQL</td> <td>Reachability field</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/537150+ </td> <td> ~"group::composition analysis" ~backend </td> <td>Elasticsearch</td> <td></td> </tr> <tr> <td>UI</td> <td>Reachability filter</td> <td> https://gitlab.com/gitlab-org/gitlab/-/issues/543346+ </td> <td> ~"group::security insights" ~frontend </td> <td>GraphQL</td> <td></td> </tr> </table>

epic