Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Threat Management Department / 16 Mar 2021
GitLab / Threat Management Department / 16 Mar 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure:Threat Insights Group Discussion 2021-03-16

Description

https://about.gitlab.com/handbook/product/categories/#threat-insights-group

A

uh I cannot hear you lindsay with me.

B

Okay, everyone hi. I pause this while we.

B

Wait it's on.

C

I was joking. I wanted to capture your remark about not working during ptl on video.

D

Welcome to the threat inside the group conversation.

B

I never said that it wasn't recorded.

B

um Should we get on with the agenda and if math comes yeah right so um follow up from previous discussions? I added something there. Oh it's my good how convenient!

B

um So if I remember correctly, we now have uh an epic for this and just as a refresher, this came up because we were trying to add a comment to the state changes and then we found out that we couldn't add uh comments to all the state changes. Just um just uh some of the transitions um supported it.

B

So now, there's an epic to fix the tech debt on that. But andy had some comments in there so I'll. Let him verbalize.

E

Yeah, I'm not sure if this I don't want to derail the work that started, but it kind of it also kind of changed after matt said that there has to be some auditability to this work right, um but we were exploring new designs that would decouple the commenting from the status change so almost like how we do it in issues today, where you see activity, you know ads. Labels removes labels all this stuff and then comments intermixed between that so kind of free form.

E

Commenting is somewhere where we want to go with vulnerabilities and we might not need to necessarily tie those to the direct action of so and so change. State comment below um we really kind of. I guess like backed into that as a way to it's a forcing function for users to comment on the status they are changing without having the ui component of that comment: field accessible on the vulnerability details page so that was kind of like the history of that component. So um the audibility thing makes this tougher all right. So.

B

We we did look into notable. um I made that suggestion and jonathan and shibashi's were on the call, so either one can give a brief overview of why we didn't do the notable.

D

uh Because it was free form- and we didn't realize that that was the ideal situation for the front end, um because we wanted to our thought was that we would you know couple the state change with the comments um directly.

B

Well, we have, we haven't done any extra work yet and- and we had already done the the comment using the feedback record anyway, so that work was already done, so we could still, we could still revisit the epic if we think uh it's worth it. It just means that whatever's already been done. The comment field for the for the transition that they're supported, which I think is the dismissed.

A

Dismissed yeah only dismissed.

B

um That would need to be migrated to to something else, but um yeah right now we're on the path of leaving state changes, coupled with a comment.

E

Okay, I wonder if it would be helpful to identify the solution to this problem specifically around what customers expectations are in terms of the auditability of vulnerabilities and what information they want to see right. Is it that the dismissal reason alone, like dismiss false positive, that feature that we'll be working on? um Is that enough, or is like an articulated comment from a human as to why this was dismissed?

E

What people are after and how do they want that information presented too? Is there an expectation that these comments go into the csv download? Is there an expectation that they can see this in the vulnerability table right?

E

So maybe there's some problem, validation that would help steer the direction of these uh like larger, back end changes.

B

If, if we can validate, if we have more certain, it's probably better, these things are complicated as it is yeah uh and right now we have a nice path to clean up um the the problem. With the feedback model, um we can always refactor it to to split the comments back into notable. If that's what we decide to do, I I don't know what what do what's chuba, shuba, shibashi's and jonathan.

B

Think in your opinion, there.

A

I I think the the whole discussion was came from correct me. If I'm wrong jonathan came from like it's um there, there were other issues as well like from the feedback and vulnerability models, things and what we can do to we. We can make it one model, that's the uh can get rid of the feedback model that will get. We will. The ripple effect effect will be. We will get rid of other problems that can see what we were discussing in the videos as well, so we were taking this.

A

This is as an opportunity to work through this and it will solve both problems and also the I just want to add on the audit issues. The audit issues itself is like what we proposed in the videos or like in the epic. It's pretty easy, like it's a small model which will only track where it's coming from that's part is not. I think the bigger issue in the epic is like whether we are getting rid of feedback model or not and creating the vulnerability itself.

A

Yeah. I don't know I'm I'm am I answering the correct thing or not. Yeah.

B

No, I mean.

D

You.

B

Are it's all good context? Sorry jonathan! You had something to add.

D

No, I was no. I was actually going to just say: you know that that's pretty much it yeah, that's different, because the feedback, because the feedback model does not do everything we need to do um or at the moment, because it only works for certain states.

B

On top of that, andy you'd be happy to know that uh we resurfaced the one-to-one one-to-many vulnerability versus finding uh discussion.

E

Phoenix from the ashes yeah, we don't we're not tackling.

B

Right now, but but now that we know that it's very unlikely that we're going to use that for grouping findings, because we have other directions for grouping like cwe and whatnot.

B

We are inclined to write something to clean that up and get rid of either findings or get rid of vulnerabilities, but just have one bracket to rule them all.

E

And that might be helpful once we start going down the path of filtering by other branches. If we go into a vulnerability record.

B

Oh, um we would you also, as part of this. This thing was was great because it triggered all these other discussions. We as part of the that we also talked about uh instead of only flagging. This is on the default branch or not on the default range. We we thought about the concept of a source, vulnerability source. Where did it come from or it came from a branch all right? Which branch did it come from? uh Oh, it was the default. No, it was another branch. uh No, it didn't come from a branch.

B

It came from an environment all right. What environment production staging? Did you define the ordering from it, and then that can be extensible right if, if we come up with other locations and values for sources, um that'd be huge yeah.

B

This is coming a little bit from container security, because if, when you scan a container in a in an environment, that container doesn't necessarily correspond to the default branch, it doesn't correspond to other bra it might not. It might correspond to to any other point in the reference and the dust on demand. Scanner can correspond to any website on the internet. That you authorize to scan so it doesn't.

E

Happen.

B

It's not even uh yeah so.

E

Okay, awesome, so stay tuned stay tuned. I will keep all of this in mind, so it says, like there's, a you've reached a stable approach with the feedback model and any designs. We're exploring in the near term will match that. So we won't just design out an uncoupled comment.

E

So we'll we'll keep all of that coupled until we have reached a larger decision on what to do with the feedback model in general.

B

Just taking notes um was, did we cover your second point? Did you wanna.

E

Basically saying I redesigned it, decoupling it uh so ignore that I'll move some pixels around. um It would be nice to support general commenting on the vulnerability details page, but that can be done separate and then perhaps in a the model, a new model potential model.

E

We could hear this idea of open closed versus kind of the myriad of statuses. We have um we're closed, would be the things that need to be audited right. Why was this fixed.

B

How.

E

Was it fixed? Why was this dismissed? Why you know um as then, the open is like these things are open. They have open issues, they're being worked on et cetera, et cetera, and then we have a lot more flexibility in the ui to present kind of a default list like we do today of open vulnerabilities, which is just the pre-filtered state of detected and confirmed.

E

That's down the road, but just something to chew. On.

B

Cool thanks very much.

B

um Anyone else got anything to add on this. Should we move on uh demos lindsay? Do you want to be savage.

C

Sure savage enhanced our trends line our chance chart on the project security dashboard to include the icons at the top that allow you to choose dates and download the image.

C

So we've identified that there's a need to update the e-charts library, that's being used in git lab ui that could resolve some of these bugs, um but overall, we believe it's adding value. So it's it's staying up as is, and savage is also working now on the additional issue which is around adding the uh the date.

D

Ranges.

C

Is that right, andy, the the second one, that's missing here. I can pull it up, but I know that there's another enhancement coming shortly on the tails of this.

E

Yeah there's like a slider that can go at the bottom.

C

Right.

E

Yeah, so we are going to update to the new echart's version.

C

Well, that's what I was chatting with savash about in our one-on-one this morning. That came up in part of the review with, I think, was ezekiel the maintainer. um So I was we're gonna look to see what that effort would be. You know it could be as easy as just updating it and there's no breaking changes, but the testing on that could be hard. So I asked matt if he was okay of us taking a little bit of time out of one of the next couple of milestones to take on some of the debt.

C

That's been building up around e-charts since we're one of the users of it. Okay,.

E

You can uh get ui polish credit for the next.

C

Okay, if you wanted to kr.

E

Yep.

C

And dave is not here, but this is about the the uh issue for planning breakdown, so we were talking yesterday. I think this might have gone just as easily under the other discussions, but um we're all there's. A lot of people focused right now on the generic security report schema, which is fantastic.

C

It's the top priority on matt's list right now and dave's question is around testing, so he can mock the data until he's blue in the face, but uh is we should put together a plan as a team on how we're going to generate some test data exercise the various cases? This may be something we want to pull in uh other secure groups, for I know that cameron swords has already been helping dave out a little bit with like here are the the higher priority items that we're looking to use more immediately, so we're prioritizing those.

B

Not only that cam cam has actually picked up the the back end issue for us, so he's implementing it uh super stoked about that, and- and uh he might have a suggestion on how to test this locally, because I saw a comment of his in the merge request offering help to the reviewer to say: hey if you want to run this locally, you can do this this and that so he and dave are in the same time zone if they want to sync up, he'll, probably get what he needs from from cam.

C

So I know that we've got another issue: that's in progress right now around generating that schema for the front end to consume. I'm assuming that that back end issue is going to run into these same questions as well around uh you know, in getting all that data into the database, you know or like getting scanned results to consume into the database to exercise the full end to end there.

B

That's the one I think, that's the one I'm talking about. I think we're talking about the same one.

C

Well, that's when the cameras picked up. Okay, I see cool.

B

So he's he's got it already. um The mr is up, so he has already run that locally, so he definitely has a way of consuming that and we're done anyone for any more.

B

No all right have a lovely day or afternoon or evening wherever you may be thanks. Everyone. Thank you. Thank you. Upload.

A

This later.

B

Bye.