►
From YouTube: Standalone Vulnerability MVC - Weekly Discussion
Description
Defend team's weekly discussion and demo of the Standalone Vulnerability MVC progress (https://gitlab.com/gitlab-org/gitlab/issues/13561)
A
B
C
D
B
A
Let's
come
back
to
that
for
just
a
moment,
so
going
back
to
the
original
question,
should
we
accept
a
community
contribution
to
work
on
this
issue?
I
would
argue
a
prerequisite
is
somebody
that
has
an
ultimate
license.
Otherwise,
I
can't
test
the
stuff
that
they're
putting
up
so
with
that
being
said,
I'm
happy
to
weigh
in
unless
somebody
else
wants
to
beat
me
to
it.
Ask.
A
Stating
that
this
is
a
prerequisite,
and
unless
somebody
has
it
then
they're
there,
they
don't
have
the
necessary
access
in
order
to
do
so
and
would
want
to
assign
this
out
to
probably
a
good
lab
employee
I'm.
This
is
an
interesting
conundrum.
I,
don't
I
mean
to
have
a
community
member
say
they
want
to
work
it
but
also
know
that
they're
trying
to
apply
and
at
the
same
time,
I
don't
know
what
we
do
here
and
I'll
be
blunt.
E
A
E
B
On
this
project,
I
mean
that
sounds
like
enough
feedback.
I
would
say.
Thank
you.
Indi
I
mean
they're,
like,
like
Lucas,
said
that
they're
working
on
several
other
issues,
so
there's
certainly
other
things
to
work
on
so
I
think
that
answers
that
question.
Okay.
Thank
you
party,.
D
The
reason
I
asked
the
other
question
was
because
if
the
work
on
this
was
stalled-
and
it
was
a
single
end
point-
then
it
stops
the
switcher
going
in
entirely.
Whereas
if
it's
separate
end
points,
then
all
it
stops
is
that
particular
stairs
in
the
switcher
do
is
those
method
to
it,
but
it's
fine.
It's
okay,.
C
Yes,
Sam
already
answered
it,
but
we
did
our
first
planning
for
2008
on
a
secure
front.
End
and
secure
phone
and
release
came
out
rather
light,
so
we
would
be
able
to
maybe
add
another
person
on
this
on
this
topic
so
yeah.
If
there's
like,
if
it
makes
sense,
then
we
can
do
it
I'm
thinking
either
Fernando
or
Paul,
helping
out
because
time
zone
wise
they
would
be
between
Sam
and
Daniel's.
So
there's
a
bit
of
make
maybe
makes
communication
a
bit
easier
and
Sam
wants
to
create
issues
this
afternoon.
So
thank
you.
D
Okay,
pretty
requisite
to
this
demo.
It's
not
particularly
interesting,
but
I
will
show
you
anywhere.
So
this
is
the
standalone
vulnerability
page
mark
one
I
would
say
it's
nothing
special.
It
just
pulls
in
the
title,
the
description
and
some
bits
and
pieces
from
the
deer
we're
getting
some
of
it
from
the
vulnerability
itself
and
some
of
it
from
the
finding
that
created
that
vulnerability.
D
D
My
next
step
is
to
create
the
the
separate
list
so
that
you
can
see
all
of
them
rather
than
having
a
guess
the
ID,
which
is
not
a
fun
game,
but
here's
where
we
are
this
this
is
this-
is
step
number
one,
we're
actually
starting
to
see
something
in
the
product
that
we
can.
We
can
look
at
and
start
to
play
with,
so
just
to
keep
you
all
update
on
where
we
are
with
that.
D
From
findings,
the
description
has
come
from
the
finding
the
location.
Sorry,
the
image
and
the
the
namespace
are
coming
from
the
location
on
the
finding
links
are
coming
from
the
finding
identify
as
a
coming
from
the
short
list.
Really
is
the
things
that
are
coming
from
the
vulnerability
and
that's
the
title
and
severity
competence
and
report
type.
Everything
else
is
coming
from
the
finding
which
at
the
moment
is
there's
only
one
finding,
but
it's
it's
technically
just
the
first
finding
in
this
case.
D
D
A
description
title:
what
were
the
other
two
attributes
right?
No
descriptions
not
on
the
vulnerability
descriptions
on
the
title.
Sorry,
descriptions
on
the
finding
so
from
from
vulnerability,
I'll
go
a
little
slower.
So,
if
someone's
taken
it
I'm,
sorry
we
get
the
state
we
get
when
the
vulnerability
was
created.
D
Kind
of
so
well
I'm
saying
we're
getting
it
off
the
finding
we're
getting
that
finding
off
the
vulnerability
so
technically
we're
getting
it
off
the
vulnerability
as
well,
but
yeah
I
mean
so
getting
it
from
the
the
finding
was
kind
of
the
the
workaround.
We
decided
before
to
quickly
add
that
information
to
the
vulnerability
API
just
by
including
that
finding
as
well.
B
Okay,
I
would
say
some
of
this
is
based
on
the
the
design
design
decision
that
we
would
have
one
vulnerability
linked
to
multiple
findings
which
could
have
different
data
for
for
those
points
that
we're
pulling
from
the
finding.
So
with
you
know
for
that
decision,
it
doesn't
necessarily
make
sense
to
have
all
of
that
data
on
the
vulnerability,
since
it
could
be
different
for
the
different
findings,
if
that
makes
sense,.
A
Sorry
I'm
gonna
be
annoying
towards
p.m.
and
UX.
This
is
debt.
That's
gonna
have
to
be
paid
down
before
we
get
to
multiple
findings
per
one
vulnerability,
so
this
adds
some
weight
to
it.
I
don't
know
that
I
think
it's
I
would
argue
that
it's
a
correct
decision
to
get
to
a
fast
MVC
or
a
fast
v1,
but
this
will
add
some.
This
will
add
work
and
so
I
want
to
make
sure
that
you
all
hear
that
so.
A
B
I
guess
I
mean
I
my
naive
view
of
this
and
feel
free
to
shoot
it
down,
but
like
right
now
we
have
they
have
a
vulnerability
and
since
there's
only
one
finding,
it
doesn't
make
sense
to
have
like
a
separate
page
to
show
that
finding
when
we
do
have
that
we
you
know
there
will
be
a
link
on
the
vulnerability
to
view
each
of
the
different
findings.
Somehow
and
at
that
point
I
think
that's
a
matter
of
just
like
not
showing
that
stuff.
B
A
E
What
I
mean
I
think
that
that's
one
solution
to
solve
a
problem?
One
too
many,
where
there's
many
similar
things
that
were
detected
and
we're
creating
vulnerabilities
right,
there's
also
another
opportunity
that
we
could
do,
which
is
creating
a
group
of
vulnerabilities
that
are
similar
that
need
to
be
dealt
with
in
a
similar
way.
Much
like
one
too
many
findings,
just
a
grouping
of
vulnerabilities,
almost
as
if
there
was
like
in
epic.
E
It's
another
way
to
solve
that
problem,
so
it
doesn't
necessarily
have
to
be
an
engineering
solution
to
solve
the
users
problem
of
multiple,
similar
CBE's
or
multiple,
similar
vulnerabilities
of
the
same
type
being
grouped
together
and
dealt
with
in
a
remediation
flow
right.
So
that's
why
one
de
mini
was
so
tough.
F
I
have
a
really
ignorant
question
as
well.
If
we
were
to
go
down
that
route
of
creating
pages
per
finding,
is
there
a
concern
that,
especially
with
some
of
this,
like
some
of
the
scanners,
throwing
up
lots
of
false
positives,
that
those
are
the
things
that
are
going
to
be
dismissed
or
deleted
that
we're
just
going
to
be
generating
a
lot
of
sort
of
I,
guess
pages
that
would
quickly
be
deleted
or,
if
not
deleted,
that
we're
just
gonna
have
just
for
this
large
contingent
of
things
that
are
taking
up
space?
But
we
don't
really.
F
E
Yeah
I
think
findings
are
really
just
when
they're
being
when
they
need
to
be
interacted
with
they're,
basically
not
in
master
yet
so
they
haven't
they're
newer
introduced,
whereas
the
vulnerability
that's
something
that's
been
there
has
been
run
on
the
pipeline
is
now
in
master
and
there's
something
that
needs
to
be
dealt
with.
So
it
that's
where
a
page
and
a
listing
makes
sense
for
the
vulnerability
because
they
can
remediate,
they
can
track,
they
can
log,
they
can
download
the
reports
and
all
that
stuff
and
do
all
the
heavy
lifting
for
that.
E
The
finding
itself
is
just
a
way
for
us
to
populate
this
vulnerability
list
with
data
that
then
can
be
housed
in
a
database
with
our
vulnerability.
Some
to
me,
if
the
user
never
knows
what
a
finding
is.
That's
fine
right,
that's
kind
of
the
path
we
went
down.
Anyways.
They
probably
never
going
to
see
the
word
finding.
E
B
F
D
I
I
knew
it
was
to
be
honest:
okay,
okay
and
stay
a
switch
in
I
guess:
I
mean
Daniels
working
on
that,
so
I
can't
really
say,
but
I
think
what
we've
got
now
is
maybe
enough
to
get
started.
I
don't
know
Daniel,
but
I
say
my
next
step
is
to
create
the
list
of
vulnerabilities,
which
I've
got
already
so
right.
Now,
no
I'm
not
blocked.
G
B
Think
that
would
be
a
great
meeting
to
have
and
probably
record
it
because
I
don't
think
you're.
The
only
person
that
has
that
question
and
I
also
don't
like
I'd,
be
happy
to
be
on
that
call
I,
but
I,
don't
think
I
should
be
the
only
one
on
that
call.
I
mean.
F
Likewise,
I
can
be
there
yeah
just
about
to
say
Andy.
You
need
to
be
on
that
because
it's
it's
taken
me
longer
than,
admittedly
it
probably
should,
but
the
idea
that
the
vulnerabilities
are
actually
things
that
have
been
merged
into
the
master
branch
is
kind
of
a
subtle
point,
but
a
very
important
one
in
realizing
what
the
difference
is.
G
A
Risk
of
overloading
that
conversation
since
we've
had
that
I'm
not
kicking
on
anybody,
but
we've
had
a
conversation
of
what's
the
multiple
times
about.
What's
the
foreigner
ability
and
what's
a
finding
and
it's
something
that
keeps
coming
up,
the
output
of
that
should
be
a
video
and/or
documentation,
explaining
the
difference
just
to
go
ahead
and
get
in
front
of
it.
Yeah.