## Release Notes Description of feature to be used in the ~&quot;release post item&quot; ([docs](https://handbook.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-instructions)) ## Business Case 1. Customers require organization wide visibility which can be segmented by relevant assets such as application, business unit, or development team. The business impact of this is https://gitlab.com/groups/gitlab-org/-/epics/17784#note_2948502054 ## Problem to Solve 1. There is no way to filter to a complete list of vulnerabilities and dependencies for a business-logical entity. 2. It may be difficult for users to 'attest' a release of an app is secure in the case when the app spans multiple projects. 3. There is also no way to support click throughs from the dashboard when business context filters are applied. ## In Scope 1. Business context filtering on group-level vulnerability report 2. URL support for bookmarking a dashboard with business context applied ## Out of Scope 1. Organization-level business context filtering, i.e.: a 'global' vulnerability view and dependency view may be required, as not all instances may have a single top level group with which to filter against. This would be done elsewhere 2. This would _not_ work across groups, i.e. only for groups and projects under the group you're in ## Designs  ## Dependencies * Dependency of: ~&quot;group::security platform management&quot; https://gitlab.com/groups/gitlab-org/-/epics/18010+ ## Functional Requirements As appSec, I want to see a complete list of vulnerabilities and dependencies for a business-logical entity, like an application or teams under a certain VP. ### Page Level Support * [ ] Project Vulnerability Report * [x] Group Vulnerability Report * [ ] Project Dependency List * [ ] Group Dependency List * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [ ] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [ ] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [ ] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [x] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Outstanding Questions <table> <tr> <th>Question</th> <th>Assignee</th> <th>Priority</th> <th>Blocking?</th> </tr> <tr> <th> **How do we visualize the selection of business context?** </th> <th> `@beckalippert?` </th> <th>High</th> <td>Yes</td> </tr> <tr> <th>Will business context be identifiable with simply an ID? Can we use that to pass to the Group level GraphQL query to filter?</th> <th></th> <th>High</th> <td>Yes</td> </tr> <tr> <th>How do we do URL support for click throughs? Simply part of the query string?</th> <th></th> <th>Medium</th> <td>Yes</td> </tr> <tr> <th>Is organization-level business context filtering out of scope for this epic?</th> <th></th> <th>Low</th> <td>No</td> </tr> </table> ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects ## Planning Breakdown / Implementation Plan