Threat Insight Priorities, 16.0-16.11

1. You are here:
2. Threat Insight Priorities, 16.0-16.11

• Purpose
• Goals
• Completed Work
  • Feature
  • Maintenance & Technical Debt
  • Problem & Solution Validations
• Priorities
  • Planned and in progress
  • Technical debt and deprecations
• Page Updates
• Learn More

Purpose

This page is for high-level prioritization of the threat insights team for 16.0-16.11. It primarily includes feature/product items and is not a comprehensive list of everything that will be worked such as bugs, implementation issues, documentation, or technical debt. It is not intended as a replacement or alternative for our issue boards. It is meant as an easily consumable single view of the main in-progress and upcoming work items for the Threat Insights group. It also allows mixing Epics and Issues in a single list. The tables come from the threat_insights.yml file. This list is not a guarantee of timing or order of delivery. Rather, use this as a guide to see the tops items we are working on and will be in the near future. The list purposefully does not extend out beyond a year to minimize a false sense of priority.

Goals

1. Leadership can see a project, sub-group, group or instance level view of their vulnerabilities AND their dependencies at each level.
2. Teams can quickly triage their vulnerabilities and dependencies with filters, searching and grouping within the vulnerability and dependency report. When possible, repetitive triage tasks are automated.
3. Developers trust that new vulnerabilities on their branch are accurate.

Completed Work

Feature

• ✅ 2024-03-21 - Use database for project dependency list, note:[Feature flag] Rollout of project_level_sbom_occurrences is scheduled for 17.0.
• ✅ 2023-12-21 - [Experiment] - Vulnerability Resolution
• ✅ 2023-11-07 Restructure vulnerability report's Tool filter
• ✅ 2023-11-01 MVC Support for CVSS
• ✅ 2023-11-01 Security MR widget shows all findings as new when default branch has missing security reports (including when the CI is configured to make multiple pipelines)
• ✅ 2023-09-26 Granular Security Permissions, note: Remove admin_vulnerability from developers will be completed as a breaking change in 17.0 and is listed as a priority in the Planned and in progress table below.
• ✅ 2023-09-26 Vulnerability Bulk Status Updates
• ✅ 2023-09-26 Finding Dismissal Types / Reasons
• ✅ 2023-09-06 Group/Sub-Group Level Dependency List - MVC
• ✅ 2023-08-19 [Beta] Explain this Vulnerability
• ✅ 2023-05-19 Use merge base for security MR widget
• ✅ 2023-05-12 [Experiment] Explain this Vulnerability
• ✅ 2023-04-19 Vulnerability Dismissal Types / Reasons

Maintenance & Technical Debt

• ✅ 2024-03-21 Allow security reports to be read for pipelines with a Blocked/Incomplete state
• ✅ 2023-08-19 Create reusable findings modal
• ✅ 2023-07-13 [MR Widget] V2
• ✅ 2023-07-06 Pipeline Security Tab GraphQL migration: add missing fields to the vulnerability-details component
• ✅ 2023-07-05 Pipeline Security Tab GraphQL migration: implement modal actions
• ✅ 2023-07-04 MR Security widget performance improvements
• ✅ 2023-06-02 Clean up vulnerability reports and address tech debt
• ✅ 2023-05-16 Deprecate and remove Vulnerabilities::Feedback
• ✅ 2023-02-13 Refactor the vulnerability filters to make the query string as the SSOT

Problem & Solution Validations

• ✅ 2023-07-07 Further understand the job of prioritizing security scan results and assessing their risk

Priorities

Planned and in progress

Priority	Name	Team	Target release
1	Vulnerability report grouping	Navy	Complete for projects, grouping for group with happen in 17.x
2	Post-MVC Group/Sub-group level Dependency List	Tangerine	Moved to 17.x
3	Additional Activity filters for Vulnerability Reports	Navy	Moved to 17.x
4	Enhanced filtering and search on the Vulnerability Report	Navy	Moved to 17.x
5	Dependency list grouping	Tangerine	Moved to 17.x
6	Dependency list filtering and searching	Tangerine	Partially complete, moved to 17.x
7	Auto-resolve vulnerabilities when not found in subsequent scans	TBD	Moved to 17.x
8	Auto-dismiss irrelevant vulnerabilities	TBD	Moved to 17.x
9	Add support for the Vulnerability Report and Dependency List at the Organization Level	TBD	Moved to 17.x
10	Remove admin_vulnerability from developers	Tangerine	17.0, available in 16.6 but behind a feature flag.

Technical debt and deprecations

Priority	Name	Team	Target release
1	Pipeline Security Listing Migration and Enhancements	Navy	16.9
2	Use security_findings for security MR widget report comparison	TBD	16.8
3	Follow-up after deprecate the use of Vulnerabilities::Feedback	Tangerine	TBD
4	Deprecate and remove project_fingerprint	Tangerine	TBD
5	Change 1:N to 1:1 relation between Vulnerability and Vulnerabilities::Finding	Tangerine	TBD
6	Use rubygem to release security report schemas	Tangerine	TBD
7	MR Security widget - migrate to GraphQL	Navy	TBD
8	Deprecate and remove vulnerability REST APIs	Navy	TBD
9	Security report schema MODEL bump to 16-0-0	Tangerine	TBD
10	Improve on and add vulnerability/finding GraphQL endpoints to allow frontend to write better code for existing features	Navy	TBD
11	Remove work-around for data integrity on issue_feedback, issue_links	Tangerine	TBD
12	Security Training - Follow up and lower priority items	Navy	TBD
13	Reusable findings modal - Post MVC	TBD	TBD
14	Migrate Vulnerability::Read create / update logic from postgresql to Rails	Tangerine	TBD
15	Update and clean-up for dependencies API and exporter	Tangerine	TBD

Page Updates

Stage	Govern
Content Last Reviewed	2024-04-01
Content Last Updated	2024-04-01

Learn More

Threat Insights is a group in the Govern stage. There are two categories in the group and details on the direction can be viewed on the following category pages:

1. Vulnerability Management
2. Dependency Management