## Overview CVS for Dependency Scanning focusing on surfacing new vulnerabilities as they are added to the Advisory DB. ### Problem to Solve As a Security Engineer, I want to get visibility into vulnerabilities resulting from dependency scanning as quickly as possible, so that I can ensure my organization addresses critical vulnerabilities in a timely manner. ### Intended Users * [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer) ### User Experience Goal For MVC, CVS for dependency scanning will be enabled by default (16.4). After it is enabled, new vulnerability information will appear upon changes to the [Advisory DB](https://advisories.gitlab.com/). This means users: - will see new vulnerabilities appear in the [Vulnerability Report](https://docs.gitlab.com/ee/user/application_security/vulnerability_report/) anytime a component in the default branch of their project is identified as vulnerable. This means for stale projects that haven't had dependency scans run recently, new vulnerabilities will appear (whereas previously the project would have to be scanned again). In other cases, new vulnerabilities will appear because new threat data has been added to the [Advisories DB](https://advisories.gitlab.com/). - can determine (in the Vulnerability Report) whether the vulnerability was identified when the scanner initially ran, or if it appeared later, when the advisory (vulnerability) database was updated with new information. Additional features will further enable users to more efficiently identify critical vulnerabilities that need to be remediated including: - [Enhanced Triage Experience for Dependencies and Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/10091 "Enhanced triage experience for dependencies and vulnerabilities") (particularly the ability to search for specific vulnerabilities) (Q1 2024) - [Notification emails for newly added vulnerabilities](https://gitlab.com/gitlab-org/gitlab/-/issues/370054 "Notification emails for newly added vulnerabilities") (Q2 2024) --- ## MVC Scope This epic focuses on delivering the Minimal Viable Change to deliver Continuous Vulnerability Scans for Dependency Scanning. Further improvements will be addressed in https://gitlab.com/groups/gitlab-org/-/epics/10133+ ### Must Have - CVS is released as expiermental and may be enabled by all ultimate customers - When new advisory data appears in the advisory DB pertaining to a component that is included in a user's default branch, that new vulnerability appears in the user's Vulnerability Report. - All SBOM components matching the name and in version range of the new advisories (triggered after advisory ingestion). https://gitlab.com/groups/gitlab-org/-/epics/10025 ### Not in Scope - [Email or Slack notifications](https://gitlab.com/gitlab-org/gitlab/-/issues/370054 "Notification emails for newly added vulnerabilities") when new vulnerabilities are identified - Ability to [search and identify every project that contains a newly discovered vulnerability](https://gitlab.com/groups/gitlab-org/-/epics/10091 "Enhanced triage experience for dependencies and vulnerabilities") - SBOM components matching a pipeline (triggered after SBOM ingestion). https://gitlab.com/groups/gitlab-org/-/epics/8026 ([included in post-MVC epic](https://gitlab.com/groups/gitlab-org/-/epics/10133 "Continuous Vulnerability Scans for DS Post MVC Follow-up")) --- ## Engineering DRI @fcatteau ## Feature Rollout https://gitlab.com/gitlab-org/gitlab/-/issues/419550#specific-rollout-on-production _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._