Needs review
Project:
Drupal Security Team
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
19 Jun 2026 at 19:59 UTC
Updated:
22 Jun 2026 at 21:07 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
gregglesI tried to start each description with "automatically set (and when)" or "manually set by whom...".
These label descriptions are available on that list or when a label has been applied and someone hovers over the label.
Comment #3
ergonlogicAre these based on an external reference or ontology?
If not, I'd suggest that "Severity" might be a more descriptive scope than "Security risk", considering the labels are "Critical", "Highly critical", etc. IMO, "Security risk" implies a more qualitative/categorical descriptor, like "Privilege escalation" or "Remote exploit". But we probably don't want to re-invent CVSS...
Also, the "Security status" scope seems to mix concerns somewhat. For example, "not in advisory policy" seems to be of a different nature than "needs work", "rtbc", etc. Perhaps it should be in the "Security Advisory" scope instead?
Comment #4
gregglesThanks for the review and feedback! Worth considering.
Yeah, we did reinvent CVSS a long time ago because it's not a great fit for web vulnerabilities and it's not easy to understand. Since then CVSS got better (though I think it's still flawed) and is more adopted so there's more documentation supporting the sense-making process. The severity scope is based on our risk scores so we should probably keep them like that. They are automatically set. There's some work to move to CVSS at #3442181: Switch to CVSS scoring and part of that will probably be adjusting the risk score syncing code.
I agree the status is a mix of who needs to do work and what the next work is, but I think it's a decent compromise for ease of use of the system. It is purposeful that "not in advisory policy" is exclusive with the other values because it indicates that none of the other values are relevant. The team reviews the other statuses to find things to work on, but "not in advisory policy" doesn't require the team to get involved.
Comment #5
cmlaraThis link appears to not be visible to unauthenticated users. I wonder if it is possibly not accessible to anyone who hasn’t been added to at least one security issues (my test account doesn’t work with GitLab for some reason I’ve never requested infra to evaluate so I can’t test this myself if anyone else has no GitLab security issues you could help by commenting on if you can access this link).
Perhaps not a major blocker since you have to be authenticated to see issues or edit them however worth knowing/evaluating as it relates to public documentation.
I’ll note that page is unlikely to be found from a security issue. It’s buried under a topic that says
Longer term: I imagine users will learn to click on Manage > Labels which will mitigate any of these external needs.
Near term: I didn’t think to to check the labels before I responded in Slack regarding a lack of documentation, and while I’m far from a GitLab expert, my experience has been I tend to be one of the users most likely to explore and use the full UI. That leads me to be concerned other users are less likely in the near future learn this GitLab method for finding label text.
Security Status Validated:
and meets the team policies and practicesI’ve seen too many issues I expect the security team to refuse end up accepted and ones I would expect them to accept be refused. That phrase for me likley makes this team only. At the very least it implies maintiners need to have a firm grasp of the security team action history to make decisions. Perhaps another middle ground “maintainer agrees” stage ? (Possibly out of scope for this issue since it’s documenting current tags.)Expanding on that, I would go so far as to suggest it could be prefaced with “Calculated …” to make it more clear it’s an automated field (possibly out of scope for this issue, just wanted to suggest it since it is related to the previous suggestions of changing title)
Comment #6
drummWe can mention the labels in one of the automated issue updates or comments if we think it will help people. As long as the text doesn’t become so long that the really important points get glossed over.
I thought GitLab had helpful hover tips for labels right on the issue, but it seems it does not.
Comment #7
gregglesThanks for your thoughts in #5, cmlara.
re #4 - They show on the issue after a label has been assigned which is not really helpful for discovery of how to use the labels (see screenshot). It's better than nothing, but not ideal.
Comment #8
cmlaraAs another data point:
Mobile devices also do not have hover/mouseover support.
On my phone (where I do somehere around 80-90% of my reviewing and commenting) it is a link where you see the mouseover text for a moment when you click the link before being directed to a page that filters only on that tag (same for my native device app).
To reiterate I do expect long term users will learn all these methods, it is only in the short term where most the project are still likley on D.O. yet the securtiy issues are on G.D.O. (And maybe a half year to a year after the great migration to issues) that I expect this to be a point of per user learning. Unlike much of the rest of the conversion there really wasn’t a viable way to train users on Labels before migration.