## Executive Summary A new OWASP standard has been released. Customers will expect to be able to align their vulnerabililities against this standard for reporting, compliance, and prioritization in the same manner they could with 2017 and 2021. This is critical because it is a clear expectation from the market that we support the latest standards. ## Business Case * This is a required KTLO/maintenance item to ensure we continue to provide basic parity for all security vendors. ## Scope ### In scope 1. Support OWASP 2025 as an identifier 2. Support for OWASP 2025 'group bys' 3. Support for filtering on OWASP 2025 identifiers (mapping CWEs to specific items in the OWASP 2025 top 10 list with the same naming convention in the product now - _OWASP Identifier Ax:2025 - \[name of rule\]_ 4. Support at both project and group level 5. Instrumentation for the group by and filter selection (this might not exist for the standard from prior years but we want to instrument everything now) ### Out of scope * Places where the group bys or filters for identifier don't exist yet do not need to be created. | Question | Answer | Assignee | Priority | Blocking? | |----------|--------|----------|----------|-----------| | | | | | | | | | | | | ## Designs n/a ## Dependencies * n/a ## Functional Requirements ### Page Level Support * [x] Project * [x] Group * [ ] Pipeline \> Security (findings) * [ ] MR Security Widget (findings) * [ ] Security Center * [ ] Security Dashboard ### Workflow * [ ] Requires an additional filter on the Vulnerability Report ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) * [ ] Requires an addition to the Vulnerability Report export ([docs](https://docs.gitlab.com/user/application_security/vulnerability_report/#exporting)) * [ ] Requires an additional filter on the Dependency List ([docs](https://docs.gitlab.com/user/application_security/dependency_list/)) * [ ] Requires an addition to the Dependency List export ([docs](https://docs.gitlab.com/user/application_security/dependency_list/#export)) * [x] Requires ~documentation ## Non-Functional Requirements ### Product Usage * [x] Requires new instrumentation ([docs](https://docs.gitlab.com/development/internal_analytics/internal_event_instrumentation/quick_start/)) ### Feature Flag Usage * [x] This feature should be released behind a feature flag? ([docs](https://handbook.gitlab.com/handbook/product-development/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags)) ### Testing * [x] Requires new E2E test coverage ([docs](https://docs.gitlab.com/development/testing_guide/end_to_end/)) * [ ] Requires extended manual / UAT phase * [ ] Performance testing needed ([testing](https://docs.gitlab.com/ci/testing/load_performance_testing/)) ## Outstanding Questions | Question | Answer | Assignee | Priority | Blocking? | |----------|--------|----------|----------|-----------| | | | | | | ## Resources 1. [Epic Board](Milestone) showing issues across workflow stages. 2. Documentation links 3. Prior work/projects