Threat Insight Priorities, 17.0-17.11

The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.

Purpose
Goals
Completed Work
Priorities
- Planned and in progress
  - Vulnerability Management
  - Dependency Management
- Technical debt and deprecations
Page Updates
Learn More

Purpose

This page is for high-level prioritization of the threat insights team for 17.0-17.11. It primarily includes feature/product items and is not a comprehensive list of everything that will be worked such as bugs, implementation issues, documentation, or technical debt. It is not intended as a replacement or alternative for our issue boards. It is meant as an easily consumable single view of the main in-progress and upcoming work items for the Threat Insights group. It also allows mixing Epics and Issues in a single list. The tables come from the threat_insights.yml file. This list is not a guarantee of timing or order of delivery. Rather, use this as a guide to see the tops items we are working on and will be in the near future. The list purposefully does not extend out beyond a year to minimize a false sense of priority.

Goals

Leadership has a single, comprehensive view of the application's security posture and risk exposure. They can quickly answer their questions in GitLab's Vulnerability Report, Dependency List and Security Dashboards.
Teams can track vulnerabilities across multiple branches and releases and understand declared vs. transitive dependencies.
Developers are notified when new vulnerabilities arise and know how to get started mitigating vulnerabilities before involving security teams.

Completed Work

Maintenance & Technical Debt

2024-04-22: Remove admin_vulnerability from developers
2024-04-22: [Feature flag] Rollout of project_level_sbom_occurrences

Priorities

Planned and in progress

Vulnerability Management

Priority	Name	Team	Target release
1	Implement Filtered Search Component on the Vulnerability Report	`Navy`	`17.0`
2	Filter by Identifier on the Vulnerability Report	`Navy`	`17.1`
3	Vulnerability report grouping on the group Vulnerability Report	`Navy`	`17.1`
4	Auto-resolve vulnerabilities when not found in subsequent scans	`TBD`	`TBD`
5	Auto-dismiss irrelevant vulnerabilities	`TBD`	`TBD`
6	Beta - Vulnerability Resolution	`TBD`	`TBD`
7	Move Vulnerability Explanation to GitLab Duo Chat	`TBD`	`TBD`
8	Add support for the Vulnerabilty Report at the Organization Level	`TBD`	`TBD`
9	Security Dashboard Enhancements	`TBD`	`TBD`
10	Track Vulnerabilities in locations other than default branch	`TBD`	`TBD`
11	Add essential risk-based information to Vulnerability Management	`TBD`	`TBD`
12	Add vulnerabilities as supported webhook events	`TBD`	`TBD`

Dependency Management

Priority	Name	Team	Target release
1	Component Filter	`Tangerine`	`17.1`
2	Packager Filter	`Tangerine`	`17.2`
3	Severity Filter	`Tangerine`	`17.3`
4	Group by License	`Tangerine`	`17.4`
5	Group by Project	`Tangerine`	`17.5`
6	Group by Component	`Tangerine`	`17.6`
7	Vulnerability Enhancements to the Dependency List	`TBD`	`TBD`
8	License Enhancements to the Dependency List	`TBD`	`TBD`
9	Include latest version for each component	`TBD`	`TBD`
10	Add support for the Dependency List at the Organization Level	`TBD`	`TBD`
11	Filter by node depth on the dependency list	`TBD`	`TBD`

Technical debt and deprecations

Priority	Name	Team	Target release
1	Group Level Vulnerability Report Performance	`TBD`	`17.1`
2	Group Level Dependency List Performance	`TBD`	`17.1`
3	Database Optimisation Efforts & Features With Significant Database Risk	`TBD`	`TBD`
4	Separate Very Large Group namespace query optimization from standard feature implementation	`TBD`	`TBD`
5	Pipeline Security Listing Migration and Enhancements	`Navy`	`TBD`
6	Use security_findings for security MR widget report comparison	`TBD`	`TBD`
7	Follow-up after deprecate the use of Vulnerabilities::Feedback	`Tangerine`	`TBD`
8	Deprecate and remove project_fingerprint	`Tangerine`	`TBD`
9	Change 1:N to 1:1 relation between Vulnerability and Vulnerabilities::Finding	`Tangerine`	`TBD`
10	Use rubygem to release security report schemas	`Tangerine`	`TBD`
11	MR Security widget - migrate to GraphQL	`Navy`	`TBD`
12	Deprecate and remove vulnerability REST APIs	`Navy`	`TBD`
13	Security report schema MODEL bump to 16-0-0	`Tangerine`	`TBD`
14	Improve on and add vulnerability/finding GraphQL endpoints to allow frontend to write better code for existing features	`Navy`	`TBD`
15	Remove work-around for data integrity on issue_feedback, issue_links	`Tangerine`	`TBD`
16	Security Training - Follow up and lower priority items	`Navy`	`TBD`
17	Reusable findings modal - Post MVC	`TBD`	`TBD`
18	Migrate `Vulnerability::Read` create / update logic from postgresql to Rails	`Tangerine`	`TBD`
19	Update and clean-up for dependencies API and exporter	`Tangerine`	`TBD`

Page Updates


Stage	Govern
Content Last Reviewed	`2024-04-03`
Content Last Updated	`2024-04-23`

Learn More

Threat Insights is a group in the Govern stage. There are two categories in the group and details on the direction can be viewed on the following category pages: