Description

Security features, like SAST and DAST, create reports where vulnerabilities found in projects are listed. This information is sent to GitLab, and shown in security reports and security dashboards.

We want to track how the resolution process for those vulnerabilities is going. We need metrics to understand how long a vulnerability takes to be solved, so we can provide a mean-time to fix.

We need to have first-class vulnerabilities linked to reports but also able to handle vulnerabilities reported manually by security researchers.

This new first-class element will be the main entity to leverage in security dashboards.

We need to figure out if we want to use custom fields (&235) and create dedicated issue types for vulnerabilities (https://gitlab.com/gitlab-org/gitlab-ee/issues/8767). Then we need to define how the user flow is, and how they interact with regular issues and vulnerabilities from the reports.

Customers:

• https://gitlab.my.salesforce.com/0016100000NmTuq

Theme

• Seamlessly integrate vulnerabilities into GitLab's workflow

Objectives

• Stage alignment on an approach for making vulnerabilities first-class objects.
• Create a data model that can evolve with our future needs.
• Identify JTBD, primary tasks, core user flows, and journeys.
• Create requirements for MVC
• Create validated deliverables for MVC
• Implement MVC

Value delivered

• Users will be able to interact and resolve vulnerabilities while following the GitLab development workflow
• Users will be able to see a historical record of vulnerabilities and resolution actions.
• Users will be able to track and measure their team and organization's progress as it relates to security.
• GitLab will be able to streamline development processes currently blocked by not having first-class objects.
• Vulnerability management will move to Minimal from planned.