Threat Insight Priorities, 16.0-16.11

1. You are here:
2. Threat Insight Priorities, 16.0-16.11

• Purpose
• Goals
• Completed Work
  • Feature
  • Maintenance & Technical Debt
  • Problem & Solution Validations
• Priorities
  • Planned and in progress
  • Technical debt and deprecations
• Page Updates
• Learn More

Purpose

This page is for high-level prioritization of the threat insights team for 16.0-16.11. It primarily includes feature/product items and is not a comprehensive list of everything that will be worked such as bugs, implementation issues, documentation, or technical debt. It is not intended as a replacement or alternative for our issue boards. It is meant as an easily consumable single view of the main in-progress and upcoming work items for the Threat Insights group. It also allows mixing Epics and Issues in a single list. The tables come from the threat_insights.yml file. This list is not a guarantee of timing or order of delivery. Rather, use this as a guide to see the tops items we are working on and will be in the near future. The list purposefully does not extend out beyond a year to minimize a false sense of priority.

Goals

1. Leadership can see a project, sub-group, group or instance level view of their vulnerabilities AND their dependencies at each level.
2. Teams can quickly triage their vulnerabilities and dependencies with filters, searching and grouping within the vulnerability and dependency report. When possible, repetitive triage tasks are automated.
3. Developers trust that new vulnerabilities on their branch are accurate.

Completed Work

Feature

• ✅ 2023-09-06 Group/Sub-Group Level Dependency List - MVC
• ✅ 2023-08-19 [Beta] Explain this Vulnerability
• ✅ 2023-05-19 Use merge base for security MR widget
• ✅ 2023-05-12 [Experiment] Explain this Vulnerability
• ✅ 2023-04-19 Vulnerability Dismissal Types / Reasons

Maintenance & Technical Debt

• ✅ 2023-08-19 Create reusable findings modal
• ✅ 2023-07-13 [MR Widget] V2
• ✅ 2023-07-06 Pipeline Security Tab GraphQL migration: add missing fields to the vulnerability-details component
• ✅ 2023-07-05 Pipeline Security Tab GraphQL migration: implement modal actions
• ✅ 2023-07-04 MR Security widget performance improvements
• ✅ 2023-06-02 Clean up vulnerability reports and address tech debt
• ✅ 2023-05-16 Deprecate and remove Vulnerabilities::Feedback
• ✅ 2023-02-13 Refactor the vulnerability filters to make the query string as the SSOT

Problem & Solution Validations

• ✅ 2023-07-07 Further understand the job of prioritizing security scan results and assessing their risk

Priorities

Planned and in progress

Priority	Name	Team	Target release
1	[General Availability] - Explain this Vulnerability	Navy	16.5
2	[Experiment] - Resolve this Vulnerability	Navy	16.5
3	Vulnerability Bulk Status Updates	Navy	16.3
4	Use database for project dependency list	Tangerine	16.5
5	Post-MVC Group/Sub-group level Dependency List	Tangerine	16.5
6	Restructure vulnerability report's Tool filter	Navy	16.5
7	Granular Security Permissions	Tangerine	17.0
8	Finding Dismissal Types / Reasons	Navy	16.4
9	Additional Activity filters for Vulnerability Reports	Navy	16.5
10	Vulnerability report grouping	Navy	16.5
11	MVC support for CVSS	Tangerine	16.5
12	Security MR widget shows all findings as new when default branch has missing security reports (including when the CI is configured to make multiple pipelines)	Tangerine	16.5
13	Enhanced filtering and search on the Vulnerability Report	Navy	16.7
14	Dependency list grouping	Tangerine	16.7
15	Dependency list filtering and searching	Tangerine	16.7
16	Add support for the Vulnerability Report and Dependency List at the Organization Level	TBD	16.10
17	Auto-dismiss irrelevant vulnerabilities	TBD	16.11

Technical debt and deprecations

Priority	Name	Team	Target release
1	Follow-up after deprecate the use of Vulnerabilities::Feedback	Tangerine	TBD
2	Migrate Pipeline Security Tab to GraphQL	Tangerine	TBD
3	Deprecate and remove project_fingerprint	Tangerine	TBD
4	Merge Vulnerabilities with Vulnerabilities::Finding	Tangerine	TBD
5	Use rubygem to release security report schemas	Tangerine	TBD
6	MR Security widget - migrate to GraphQL	Navy	TBD
7	Deprecate and remove vulnerability REST APIs	Navy	TBD
8	Security report schema MODEL bump to 16-0-0	Tangerine	TBD
9	Improve on and add vulnerability/finding GraphQL endpoints to allow frontend to write better code for existing features	Navy	TBD
10	Remove work-around for data integrity on issue_feedback, issue_links	Tangerine	TBD
11	Security Training - Follow up and lower priority items	Navy	TBD
12	Reusable findings modal - Post MVC	TBD	TBD
13	Migrate Vulnerability::Read create / update logic from postgresql to Rails	Tangerine	TBD

Page Updates

Stage	Govern
Content Last Reviewed	2023-08-16
Content Last Updated	2023-08-16

Learn More

Threat Insights is a group in the Govern stage. There are two categories in the group and details on the direction can be viewed on the following category pages:

1. Vulnerability Management
2. Dependency Management