Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 3 Apr 2020
GitLab / Protect Stage / 3 Apr 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Current state of the First Class Security Dashboards

Description

# FCV dashboards
## Project security dashboard
This is the most complete dashboard and a lot of what we built here can be re-used on the others.

### Already have
- List
- Filters
- Counts
- Unconfigured state

### Might have
- File path on the vulnerability list
- Filtering for the counts (there’s no backend for this yet)
---
## Group Security Dashboard
This one isn’t too far behind the project dashboard, but does have a few missing features that exist on the current group security dashboard. Most of these are known and were never planned to be part of the MVC

### Already have
- List

### Will have
- Filters
- Unconfigured State

### Might have
- A project filter
- Project path on the vulnerability list

### Won’t have
- Vulnerabilities over time
- Project security status
---
## Instance security dashboard
This is the furthest behind. We don’t currently have all the GraphQL endpoints we need for this, but can still develop the frontend in parallel so we’re ready for them when they do ship.

### Already have

### Will have
- List
- Filters (excluding the project filter)
- Unconfigured state

### Might have
- A project filter
- Project path on the vulnerability list

### Won’t have
- Vulnerabilities over time
- Project security status
---
## General / Vulnerability list
Just a few things that pertain to all the dashboards as they’re features on the vulnerability list.

### Don’t need?
- Pipeline status on the project dashboard

### Won’t have
- Inline linked issues on the vulnerability list (we ran out of time)
- Inline Dismissal comments on the vulnerability list

### Can’t have
- Multiple select dismissals (because we can’t dismiss from the lists any more)

A

Okay, so I just wanted to go over where we're at with the migrate in the first class vulnerabilities to the dashboards I'm gonna go over what we've got currently, what we're likely to be able to add what we're less likely to be able to add on what we definitely can't add before the end of twelve ten. So this branch that one now I've just took all of the close to being merged em ours and just pulled them all into one branch.

A

So this isn't master right now, but it'll be master in a few hours is the idea. So we have. This is a project security dashboard. We have the probability counts at the top. We have the filters. We have the vulnerability list. This run ability list. Sorry called all of the the dirt. Here is first-class vulnerabilities and it's only using graph QL and if we scroll up on ability list, you see, we've got the infamous crawling thing going on there.

A

No I only have this many vulnerabilities, but if I had more, that would just keep going and going and going until we're took at the end of the list. So filtering again all done through crack ul and we can filter out, confirmed, confirmed undetected.

A

You see this is maybe an initial bit of delay with these posts as soon as we've done it once that's, that's cash done, and it's it's nice and quick from there on, which is it's really nice and we can filter by it's a very II and report type as well. We don't actually have any dust abilities when I come to this game that all works basically the same as it does now. The stairs is the only new filter. Really the hide dismiss toggle is missing because dismissed is now a stairs.

A

So if you want to hide dismissed and you just select everything booked booked dismissed, you know we did. This dais is different. Sort of the high dismissed taco would make any sense anymore. You might as well. These aren't currently filtered based on these these fellas here. That is simply because the back end doesn't support filling on the counts. Just yet it's fairly trivial to add to the front end once once that's available. Well, I'll get to them things later.

A

Yes, this dashboard, it's exactly the same as the the project. Dashboard is currently, we've got all the responsive, stuff and everything and it just works and then clicking through these. Take you to the actual standalone from the ability itself there's taking a while to look. You can trust me on our ok, so we also have show you can just remove that from URL the oh, maybe I can.

A

Let's not guess about URL this Noah get there.

A

Are groups of course right? So this is the current state of the group security dashboard. We just have the list at the wall now the list behaves in exactly the same way as it does on the project. Security dashboards is the same list. It allows that infinite scroll in and everything and it's ready to receive the fillers. We just hadn't I lead the folders to this. Yet again, I'll go over the things that missing a little later, but this is the group dashboard and then the instant dashboard.

A

We don't currently have the instance dashboard just yet, but sir is working on that. Right now and again, it's a relatively straightforward addition, because we using exactly the same thing as the group dashboard, just a slightly different, graphically or graphic ql query.

A

Ok, so here's a list I have made of everything we have don't have etc. So I've kind of split things into things that you already have things that we will have for definite things that we might have so more like you know. If we get chance, we will have them, but they look like they may slip things.

A

We won't have sort of things that either we decided I'm part of the MVC or will slip and things that we can't have so that's things that just don't make sense for first class upon release so the project security dashboard. This is the most complete and everything we're building here. So this is took the most time because we're building everything from scratch, but the idea being that everything that we've built for the project dashboard can be reused or at least used as a sort of template for the other two dashboards.

A

So we already have the list.

A

We have filters all that list, you have counts and we have an configured state, which is the only thing I've not actually shown you, but all that is is if you've not actually configured the security report to be a project. Then we have that stay in there to say you know: you've, not you've, not configured them got our documentation to learn how to configure them. We have that on the current dashboards. We have that here as well.

A

We we might have so these are two things that are currently missing a file path. On the phone ability list, so if I go to the git lab, I, actually probably shouldn't do that, because I'm going to make this video public. But if I went to the security dashboard for.

A

One of the security dashboards at Lords vulnerability findings, so the current one. This is actually a file path here that says where that vulnerability is. We don't have that currently on the first customer abilities dashboard, and that is because of this issue here- to add it into the actual there we don't have the dare. We can't show the dare so that's Anna might have so the back and delivers in time. We might be able to add it if not and we're gonna have to push it out far into the count again exactly the same issue.

A

I. Would you spoke about this slightly there's? No, we can't actually filter on the.

A

Photo that counts on the on the back end. So does it me trying to do it in a graphical Explorer, and you can see this there's no.

A

There's no filtering for the for the severity count with his only fields, so really easy to add exactly the same as it would be for the the list. We just can't do it because the back end is not there yet so again might have it's the back end ships, probably at it. If not, you know we're a bit stuck that the group security dashboard.

A

It's not too far behind the project. Dashboard, there's. Obviously a few missing features that the project dashboard has that the group one doesn't there's. Also a few missing features that current group dashboard has that the.

A

The first class group security dashboard doesn't have either because currently the the group dashboard, as you can see, has already have such and it's just a list, but it will have fillers fill. Is a super easy to add to these lists. I mean kind of you saw it here. We just need to pass them to this query. I mean this. Is the severity scan query, but these actually exist on the group one. So we can filter the group vulnerabilities.

A

That's not too hard software that in will have a none configured state, that's something that we know is fairly yet on and I've I've added to the project dashboard. You just need to exact the same thing for the group dashboard.

A

So then we'll have because they're, relatively simple changes might have again project path, that on the vulnerability list, I'm skipping over this one. For now, that's exactly the same issue as the file path on the front of the list. As far as I'm aware I, don't know. If we have this from the back end, I'll have to look into that, but I put it in might have just just to be safe project filter. So on the the group dashboard I'm sure me to call the project dashboard, so I can show you the filters again.

A

So we have the filters on the group. Dashboard will be stairs severity, report, type and project a problem being the current the the list of projects. We need to get need to be a list of projects that have first class vulnerabilities.

A

We don't actually have an endpoint for that. We have an endpoint for a list of projects that have the probability, findings, I, believe I'm, not exactly sure what that endpoint is. We can't kind of use. It will be slightly wrong.

A

Well, that's all we have for now, so we might be able to work with that, but currently we can't filter by that I'm. Not actually sure. Let me just quickly check now. If I call the group one, can we actually.

A

Know.

A

The wrong thing: that's why yeah we can filter by project ID, that's fine! So we do have the backend filtering for it. We just need it. It's not filtering by the project. That's the issue. It's getting the list of projects that we can filter by. That's the issue currently, so that's it might have.

A

Won't have the noble use all the time and project security stairs I, don't want to load up that the live groups- QE dashboard, because you know it's: it's got security data on there that I, probably shouldn't be sharing publicly, but this there's two widgets there's one here and there's one here: the vulnerably history charts and the project severity stairs. We don't have the data for them for first class vulnerabilities, so we can add these in, but these were never part of the NBC anywhere I just wanted to point that out in some security dashboard.

A

Now this is the ones the furthest behind, because we would not actually start it yet. But, as I said earlier, the Bosch is working on that right now and it's just basically a copy of the group's GUI dashboard. It's just a slightly different end point, so that should be a relatively quick change to get through so already have nothing so I should working on up in the list and then again the same thing as I said for the group dashboard filters, excluding the project, filler and unconfigured stay they'll be relatively simple to add.

A

We just copy and what we do in the project, dashboard and chances are by the time we get around to doing this. These would be a lot easier to add in because the the things already be merged into the master branch.

A

Okay,.

A

Things we might have again it's exactly the same as the group dashboard the project path on the phone ability list. So you know this this little bit here should say on the instance and the group dashboard. What project that one release valve? We don't have that currently I'm, not sure if we have the data, so we might not be able to put it in on project folder. This is this is slightly different for the instance dashboard.

A

The project felt for the group dash board needs to fetch a list of all the wonderful projects in the group which is potentially a problem. The instance dashboard is slightly different because you can, you can go in. In fact, I can show you the instance dashboard on here, because this is all totally dummy do this is the the old instance dashboard, and these these were the two widgets I was talking about earlier, but yeah this huh okay, so I've just noticed a bug on the current innocent security. Dashboard, that's fun!

A

This list of projects is a list of all the secure.

A

Projects with vulnerabilities inevitability shouldn't, be it should be. Oh, no, that's not a book I've. Just it's just coincidence that are the same, so ignore what I've just said there on the instant security dashboard. You can click Edit dashboard up here and you can choose which projects are on your dashboard. So this list of projects is actually this list that you generate here.

A

So we have that endpoint there we don't need to change the endpoint so that I put it in might have, but we're more likely to be able to add it to the instance, security dashboard than the group security dashboard, because that date is actually there and won't have exactly the same two as the group security dashboard. That's gonna believes all the time and project security status and that's for exactly the same reasons. We don't have the dare we will never plan and run including them for the MVC just wanted to highlight it.

A

So that's the the dashboards there's a couple of general things that we've noticed.

A

I'm going to skip over this one, but you can't see this on any of these. Let me just very quickly create an issue. They're called back here. In fact, I'll skip to the end.

A

I'll do this in reverse order, so we we can't have multiple select dismissals. This is a little annoying, because this is a feature that I added only in the last release. It's gonna have to disappear straightaway, which is super annoying, and that's this this checkbox thing here. You know you can select all 500 Billie's at once or select just a couple and you can give them a dismissal reason.

A

So if I say these are all false positives and we just do these two and then I can I can dismiss them and then ugly I've dismissed it wonderful ease. The reason that we can't do this is because, on the c9.

A

Go back to here.

A

Yes, so the reason we can't select- multiple dismissal sorry dismiss multiple vulnerabilities is because we can't dismiss single vulnerabilities. We don't the decision was made not to add the click actions to these. So you can't, because you can't dismiss any one of these. Also can't dismiss multiple ones of these. If that makes sense.

A

Yeah, so this is gonna have to go. We can maybe on it back in later put us something we need to think about two things we won't have, because we've just simply run out of time. The one I don't think we really tracked him very well, but when you create an issue from a ver ability, we don't show it in the list. That's just we haven't had time to implement it.

A

Fortunately, and then same with this dismissal comment, you see you get the little icons and the link here, we're probably not gonna have time to like them and something we don't need. Question mark I can't really sure you want.

A

Okay, I'll just I'll talk about it and you can. You can look at the dashboard yourself, but up here on the on the project, dashboard there's like list pipeline run, so we run pipeline two three, four, five, six, seven, here's the merge request: here's the whatever it was I. Remember now we're not showing that currently we totally could add it in, but probably don't need to, because the old pipe project security dashboard was based on the latest pipeline.

A

Where is the new security dashboard? It is that relationship. Isn't there anymore? That's it doesn't make any sense. So we probably don't want that pipeline thing there, because it wouldn't make too much sense. I if we decide to add it back in and we can absolutely fine I'm just saying we probably don't want it.

A

So here's this is where there's still a bit of work to do, but the majority of it is replicas in what we already have on the project, dashboard and you're, bringing that over to the group and the instance dashboards. So I've spoke to sir and we're pretty confident that everything that I've put in will house. We can do everything, that's in might have. We may be able to do, but don't want to promise that and then obviously, if we, you know, do much, do everything and we'll have an might have.

A

Then we can move on realistically.

A

We definitely want up time for them, so yeah I'll share this list somewhere, I, don't know where yet but I'll figure and that you know and then probably link this video there. If there's any questions, if it's today, I will happily answer them today, being Friday the 3rd of April, but I am I, am our office for a week, which is, which is why I'm doing this now, but Syrah should be able to to help with with some of the questions.