►
From YouTube: Standalone Vulnerability MVC - Demo
Description
Demo portion of the Defend team's weekly discussion and demo of the Standalone Vulnerability MVC progress (https://gitlab.com/gitlab-org/gitlab/issues/13561)
A
Okay,
prerequisite
to
this
demo,
it's
not
particularly
interesting,
but
I
will
show
you
anywhere.
So
this
is
the
standalone
vulnerability
page
mark
one
I
would
say
it's
nothing
special.
It
just
pulls
in
the
title,
the
description
and
some
bits
and
pieces
from
the
deer
we're
getting
some
of
it
from
the
vulnerability
itself
and
some
of
it
from
the
finding
that
created
that
vulnerability.
A
A
My
next
step
is
to
create
the
the
separate
list
so
that
you
can
see
all
of
them
rather
than
having
a
guess
the
ID,
which
is
not
a
fun
game,
but
here's
where
we
are
this
this
is
this-
is
step
number
one,
we're
actually
starting
to
see
something
in
the
product
that
we
can.
We
can
look
at
and
start
to
play
with,
so
just
to
keep
you
all
update
on
where
we
are
with
that.
A
From
findings,
the
description
has
come
from
the
finding
the
location.
Sorry,
the
image
and
the
the
namespace
come
in
from
the
location
on
the
finding
links
are
coming
from
the
finding
identify,
as
a
coming
from
the
shortlist
really
is
the
things
that
are
coming
from
the
vulnerability
and
that's
the
title
and
severity
competence
and
report
type
everything
else
is
is
coming
from
the
finding
which
at
the
moment
is
there's
only
one
finding,
but
it's
it's
technically
just
the
first
finding
in
this
case.
A
Yeah,
so
for
a
formal
date,
description
title:
what
were
the
other
two
attributes
right?
No
descriptions
not
on
the
vulnerability
descriptions
on
the
title.
Sorry,
descriptions
on
the
the
finding
so
from
from
vulnerability,
I'll
go
a
little
slower.
So
if
someone's
typing
it
I'm,
sorry
we
get
the
state
we
get
when
the
vulnerability
was
created.
A
Kind
of
it
so
well
I'm
saying
we're
getting
it
off
the
finding
we're
getting
that
finding
off
the
vulnerability
so
technically
we're
getting
it
off
the
vulnerability
as
well,
but
yeah
I
mean
so
getting
it
from
the
the
finding
was
kind
of
the
the
workaround.
We
decided
before
to
quickly
add
that
information
to
the
vulnerability
API
just
by
including
that
finding
as
well.
C
Okay,
I
would
say
some
of
this
is
based
on
the
the
design
design
decision
that
we
would
have
one
vulnerability
linked
to
multiple
findings
which
could
have
different
data
for
for
those
points
that
we're
pulling
from
the
finding.
So
with
you
know
for
that
decision,
it
doesn't
necessarily
make
sense
to
have
all
of
that
data
on
the
vulnerability,
since
it
could
be
different
for
the
different
findings,
if
that
makes
sense,.
B
Sorry
I'm
gonna
be
annoying
towards
p.m.
and
you
this
is
debt.
That's
gonna
have
to
be
paid
down
before
we
get
the
multiple
findings
per
one
vulnerability,
so
this
adds
some
weight
to
it.
I
don't
know
that
I
think
it's
I
would
argue
that
it's
a
correct
decision
to
get
to
a
fast
MVC
or
a
fast
v1,
but
this
will
add
some.
This
will
add
work
and
so
I
want
to
make
sure
that
you
all
hear
that
so.
B
C
I
guess
then
I
mean
I,
might
not
even
s
and
feel
free
to
shoot
it
down,
but
like
right
now
we
have
they
have
a
vulnerability
and
since
there's
only
one
finding,
it
doesn't
make
sense
to
have
like
a
separate
page
to
show
that
finding
when
we
do
have
that
we
you
know
there
will
be
a
link
on
the
vulnerability
to
view
each
of
the
different
findings.
Somehow
and
at
that
point
I
think
that's
a
matter
of
just
like
not
showing
that
stuff.
B
E
What
I
mean
I
think
that
that's
one
solution
to
solve
a
problem?
One
too
many,
where
there's
many
similar
things
that
were
detected
and
we're
creating
vulnerabilities
right,
there's
also
another
opportunity
that
we
could
do,
which
is
creating
a
group
of
vulnerabilities
that
are
similar
that
need
to
be
dealt
with
in
a
similar
way.
Much
like
one
too
many
findings,
just
a
grouping
of
vulnerabilities,
almost
as
if
it
was
like
an
epoch.
F
I
have
a
really
ignorant
question
as
well.
If
we
were
to
go
down
that
route
of
creating
pages
per
finding,
is
there
a
concern
that,
especially
with
some
of
this,
like
some
of
the
scanners,
throwing
up
lots
of
false
positives,
that
those
are
the
things
that
are
going
to
be
dismissed
or
deleted
that
we're
just
going
to
be
generating
a
lot
of
sort
of
I,
guess
pages
that
would
quickly
be
deleted
or,
if
not
deleted,
that
we're
just
gonna
have
just
for
this
large
contingent
of
things
that
are
taking
up
space?
But
we
don't
really.
F
E
Yeah
I
think
findings
are
really
just
when
they're
being
when
they
need
to
be
interacted
with
they're,
basically
not
in
master
yet
so
they
haven't
they're
newer
introduced,
whereas
the
vulnerability
that's
something
that's
been
there
has
been
run
on
the
pipeline
is
now
an
master
and
there's
something
that
needs
to
be
dealt
with.
So
it
that's
where
a
page
and
a
listing
makes
sense
for
the
vulnerability
because
they
can
remediate,
they
can
track,
they
can
log,
they
can
download
the
reports
and
all
that
stuff
and
do
all
the
heavy
lifting
for
that.
E
The
finding
itself
is
just
a
way
for
us
to
populate
this
vulnerability
list
with
data
that
then
can
be
housed
in
a
database
with
our
vulnerability.
So
to
me,
if
the
user
never
knows
what
a
finding
is.
That's
fine
right,
that's
kind
of
the
path
we
went
down,
anyways,
but
probably
never
going
to
see
the
word
finding.
E
C
F
A
I
I
knew
it
was
to
be
honest:
okay,
okay
and
stay
switching
I
guess
I
mean
Daniels
working
on
that,
so
I
can't
really
say,
but
I
think
what
we've
got
now
is
maybe
enough
to
get
started.
I
don't
know
Daniel,
but
I'll
say
my
next
step
is
to
create
the
list
of
vulnerabilities,
which
I've
got
already
so
right.
Now,
no
I'm
not
blocked.
G
C
Think
that
would
be
a
great
meeting
to
have
and
probably
record
it
because
I
don't
think
you're.
The
only
person
that
has
that
question
and
I
also
don't
like
I'd,
be
happy
to
be
on
that
call.
But
I
don't
think
I
should
be
the
only
one
on
that
call.
I
mean.
A
G
B
Risk
of
overloading
that
conversation
since
we've
had
that
not
kicking
on
anybody,
but
we've
had
a
conversation
of
what's
the
multiple
times
about.
What's
a
phoner
ability
and
what's
a
finding
and
it's
something
that
keeps
coming
up,
the
output
of
that
should
be
a
video
and
or
documentation
explaining
the
difference
just
to
go
ahead
and
get
in
front
of
it.
Yeah.
E
B
Alright,
let's
close
this
down,
so
thank
you're
ready
for
your
time
and
attention.
We
have
something
visible,
that's
exciting,
it's
very
exciting!
So
it's
let's!
Let's
keep
making
this
thing
happen
and
if
you
need
anything,
please
shout
out
and
slack
and
in
the
in
the
dedicated
channel
for
this
particular
subject
and
let's
up
and
and
please
be
noisy
early,
that
way,
we
can
try
to
get
some
momentum
going
here.
So
thank
you.
We'll
talk
soon,.