Threat Insight Priorities, 17.0-17.11

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.

Purpose
Goals
Completed Work
Priorities
Page Updates
Learn More

Purpose

This page is for high-level prioritization of the threat insights team for 17.0-17.11. It primarily includes feature/product items and is not a comprehensive list of everything that will be worked on such as bugs, implementation issues, documentation, or technical debt. It is not intended as a replacement or alternative for our issue boards. It is meant as an easily consumable single view of the main in-progress and upcoming work items for the Threat Insights group. It also allows mixing Epics and Issues in a single list. The tables come from the threat_insights.yml file. This list is not a guarantee of timing or order of delivery. Rather, use this as a guide to see the top items we are working on and will be in the near future. The list purposefully does not extend out beyond a year to minimize a false sense of priority.

Goals

Leadership has a single, comprehensive view of the application's security posture and risk exposure. They can quickly answer their questions in GitLab's Vulnerability Report, Dependency List and Security Dashboards.
Teams can track vulnerabilities across multiple branches and releases and understand declared vs. transitive dependencies.
Developers are notified when new vulnerabilities arise and know how to get started mitigating vulnerabilities before involving security teams.

Completed Work

Feature Work

2024-06-18: GA Vulnerability Explanation
2024-06-05: Implement Filtered Search Component on the Vulnerability Report
2024-10-17: Filter by Component on the Dependency List
2024-10-17: Pipeline Security Listing Migration and Enhancements

Maintenance & Technical Debt

2024-08-19: Group Level Vulnerability Report Performance
2024-08-07: Group Level Dependency List Performance
2024-04-22: Remove admin_vulnerability from developers
2024-04-22: [Feature flag] Rollout of project_level_sbom_occurrences
2024-10-17: Cells 1.0
2024-10-17: Delete vulnerability_occurrence_pipelines table

Priorities

AI

Priority	Name	Target release
1	GA Vulnerability Resolution	`17.6`

Projects

Vulnerability Management

Priority	Name	Target release
1	Filter by Identifier on the project Vulnerability Report	`17.6`
2	Vulnerability report grouping on the group Vulnerability Report	`17.6`
3	Auto-resolve vulnerabilities when not found in subsequent scans	`17.7`
4	Auto-dismiss irrelevant vulnerabilities	`TBD`
5	Add vulnerabilities as supported webhook events	`TBD`
6	Add support for the Vulnerability Report at the Organization Level	`TBD`
7	Security Dashboard Enhancements	`TBD`
8	Track Vulnerabilities in locations other than default branch	`TBD`
9	Add essential risk-based information to Vulnerability Management	`TBD`

Dependency Management

Priority	Name	Target release
1	Severity Filter	`TBD`
2	Group by License	`TBD`
3	Group by Project	`TBD`
4	Group by Component	`TBD`
5	Vulnerability Enhancements to the Dependency List	`TBD`
6	License Enhancements to the Dependency List	`TBD`
7	Include latest version for each component	`TBD`
8	Add support for the Dependency List at the Organization Level	`TBD`
9	Filter by node depth on the dependency list	`TBD`

Technical debt and deprecations

Priority	Name	Target release
1	Use security_findings for security MR widget report comparison	`TBD`
2	Follow-up after deprecate the use of Vulnerabilities::Feedback	`TBD`
3	Deprecate and remove project_fingerprint	`TBD`
4	Change 1:N to 1:1 relation between Vulnerability and Vulnerabilities::Finding	`TBD`
5	Use rubygem to release security report schemas	`TBD`
6	MR Security widget - migrate to GraphQL	`TBD`
7	Deprecate and remove vulnerability REST APIs	`TBD`
8	Security report schema MODEL bump to 16-0-0	`TBD`
9	Improve on and add vulnerability/finding GraphQL endpoints to allow frontend to write better code for existing features	`TBD`
10	Remove work-around for data integrity on issue_feedback, issue_links	`TBD`
11	Security Training - Follow up and lower priority items	`TBD`
12	Reusable findings modal - Post MVC	`TBD`
13	Migrate `Vulnerability::Read` create / update logic from postgresql to Rails	`TBD`
14	Update and clean-up for dependencies API and exporter	`TBD`

Performance and Optimization

Priority	Name	Target release
1	Secure/Govern Database Decomposition	`17.8`
2	Application limits	`17.6`
3	Vulnerability retention policy	`TBD`
4	Elasticsearch for Vulnerability Management	`TBD`

Page Updates


Stage	Govern
Content Last Reviewed	`2024-08-30`
Content Last Updated	`2024-08-30`

Learn More

Threat Insights is a group in the Govern stage. There are two categories in the group and details on the direction can be viewed on the following category pages: