Group security issues panels in the MR widget
Description
We actually have four security reports available
- SAST
- Dependency Scanning (after the split from SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/5105)
- Container Scanning
- DAST
These reports are exposed in the MR widget, as independent panels. Also, SAST report is exposed as a CI View in the CI/CD > Pipelines page: https://gitlab.com/gitlab-org/gitlab-ee/issues/3776.
Since the MR widget is overcrowded, and all these panels are dealing with security issues, we should make a compact view that group them all, providing a single summary with all the data.
Proposal
Replace all the specific panels in the MR widget with a single one that groups all the security issues.
This summary can then be expanded to different sub-panels, one for each of the features listed above. Each sub-panel will have a sub-summary, containing information related only to that specific feature, and then the list of the diffs between the "base" and the "head" reports, and a link to expand the full list of vulnerabilities.
Information to be shown in each summary (main and specific ones):
-
new
: number of security issues that have been introduced (head - base
) -
fixed
: number of security issues that have been fixed (base - head
)
Notes:
- main summary will sum the numbers of the four sub-summaries (e.g.,
new
will benew(SAST)+new(Dependency Scanning)+new(Container Scanning)+new(DAST)
- specific summaries are not expandable, so expanding the main summary results in the four sub-summaries and the four lists of new/fixed items
- showing the full list of issues for a specific feature will show the full list of vulnerabilities found (as it is now doing for SAST)
- whitelisted vulnerabilities (for Container Scanning feature) are not considered in any count, they are just ignored
Design
- Note: Complete vulnerabilities report anchor will keep existing functionality and expand report inline, changes to this functionality are deferred to https://gitlab.com/gitlab-org/gitlab-ee/issues/5322
- Note: The order of security sections should be: SAST, Dependency Scanning, Container Scanning, DAST.
- Note: If no head/base comparison is possible, show the complete list
Summary:
- summary with no vulnerabilities
- Pass icon
Security scanning detected no new or fixed security vulnerabilities
- summary with only added vulnerabilities
- Exclamation mark icon
Security scanning detected 1 new vulnerability
Security scanning detected 7 new vulnerabilities
- summary with only fixed vulnerabilities.
- Pass icon
Security scanning detected 1 fixed vulnerability
Security scanning detected 3 fixed vulnerabilities
- summary with both
- Exclamation mark icon
Security scanning detected 1 new vulnerability and 1 fixed vulnerability
Security scanning detected 7 new vulnerabilities and 3 fixed vulnerabilities
- summary for loading
- Spinner icon
Security scanning (in progress) detected 1 new vulnerability and 1 fixed vulnerability
Security scanning (in progress) detected 7 new vulnerabilities and 3 fixed vulnerabilities
- summary in case all the endpoints are still loading
- Spinner icon
Security scanning in progress
- summary in case some but not all of the endpoints return an error
- Exclamation mark icon
Security scanning (errors when loading results) detected 1 new vulnerability and 1 fixed vulnerability
Security scanning (errors when loading results) detected 7 new vulnerabilities and 3 fixed vulnerabilities
- summary in case all the endpoints return an error
- Exclamation mark icon
Security scanning failed loading any results
- summary incase we have a mixed state of results, loading, and error
- Exclamation mark icon
Security scanning (in progress, errors when loading results) detected 1 new vulnerability and 1 fixed vulnerability
Security scanning (in progress, errors when loading results) detected 7 new vulnerabilities and 3 fixed vulnerabilities
- No Head/Base comparison possible for all tests
- Exclamation mark icon
Security scanning detected no vulnerabilities for the source branch only
Security scanning detected 1 vulnerability for the source branch only
Security scanning detected X vulnerabilities for the source branch only
SAST:
- loading
- Spinner icon
SAST detection is in progress
- error
- Exclamation mark icon
SAST resulted in error while loading results
- text with no vulnerabilities
- Pass icon
SAST detected no new or fixed security vulnerabilities
- text with only added vulnerabilities
- Exclamation mark icon
SAST detected 1 new vulnerability
SAST detected 4 new vulnerabilities
- text with only fixed vulnerabilities
- Pass icon
SAST detected 1 fixed vulnerability
SAST detected 2 fixed vulnerabilities
- text with both
- Exclamation mark icon
SAST detected 1 new vulnerability and 1 fixed vulnerability
SAST detected 4 new vulnerabilities and 2 fixed vulnerabilities
- Anchor below
Show complete code vulnerabilities report
- No Head/Base comparison possible
- Exclamation mark icon
SAST detected no vulnerabilities for the source branch only
SAST detected 1 vulnerability for the source branch only
SAST detected X vulnerabilities for the source branch only
Dependency scanning:
- loading
- Spinner icon
Dependency scanning detection is in progress
- error
- Exclamation mark icon
Dependency scanning resulted in error while loading results
- text with no vulnerabilities
- Pass icon
Dependency scanning detected no new or fixed security vulnerabilities
- text with only added vulnerabilities
- Exclamation mark icon
Dependency scanning detected 1 new vulnerability
Dependency scanning detected 4 new vulnerabilities
- text with only fixed vulnerabilities
- Pass icon
Dependency scanning detected 1 fixed vulnerability
Dependency scanning detected 2 fixed vulnerabilities
- text with both
- Exclamation mark icon
Dependency scanning detected 1 new vulnerability and 1 fixed vulnerability
Dependency scanning detected 4 new vulnerabilities and 2 fixed vulnerabilities
- Anchor below
Show complete code vulnerabilities report
- No Head/Base comparison possible
- Exclamation mark icon
Dependency scanning detected no vulnerabilities for the source branch only
Dependency scanning detected 1 vulnerability for the source branch only
Dependency scanning detected X vulnerabilities for the source branch only
Container scanning:
- loading
- Spinner icon
Container scanning detection is in progress
- error
- Exclamation mark icon
Container scanning resulted in error while loading results
- text with no vulnerabilities
- Pass icon
Container scanning detected no new or fixed security vulnerabilities
- text with only added vulnerabilities
- Exclamation mark icon
Container scanning detected 1 new vulnerability
Container scanning detected 2 new vulnerabilities
- text with only fixed vulnerabilities
- Pass icon
Container scanning detected 1 fixed vulnerability
Container scanning detected 2 fixed vulnerabilities
- text with both
- Exclamation mark icon
Container scanning detected 1 new vulnerability and 1 fixed vulnerability
Container scanning detected 2 new vulnerabilities and 2 fixed vulnerabilities
- Explanation text below + link
Vulnerabilities can be marked as approved. Learn more about whitelisting
- No Head/Base comparison possible
- Exclamation mark icon
Container scanning detected no vulnerabilities for the source branch only
Container scanning detected 1 vulnerability for the source branch only
Container scanning detected X vulnerabilities for the source branch only
DAST:
- loading
- Spinner icon
DAST detection is in progress
- error
- Exclamation mark icon
DAST resulted in error while loading results
- text with no vulnerabilities
- Pass icon
DAST detected no new or fixed security vulnerabilities
- text with only added vulnerabilities
- Exclamation mark icon
DAST detected 1 new vulnerability
DAST detected 2 new vulnerabilities
- text with only fixed vulnerabilities
- Pass icon
DAST detected 1 fixed vulnerability
DAST detected 2 fixed vulnerabilities
- text with both
- Exclamation mark icon
DAST detected 1 new vulnerability and 1 fixed vulnerability
DAST detected 2 new vulnerabilities and 2 fixed vulnerabilities
- No Head/Base comparison possible
- Exclamation mark icon
DAST detected no vulnerabilities for the source branch only
DAST detected 1 vulnerability for the source branch only
DAST detected X vulnerabilities for the source branch only