Skip to content

Group security issues panels in the MR widget

Description

We actually have four security reports available

  1. SAST
  2. Dependency Scanning (after the split from SAST: https://gitlab.com/gitlab-org/gitlab-ee/issues/5105)
  3. Container Scanning
  4. DAST

These reports are exposed in the MR widget, as independent panels. Also, SAST report is exposed as a CI View in the CI/CD > Pipelines page: https://gitlab.com/gitlab-org/gitlab-ee/issues/3776.

Since the MR widget is overcrowded, and all these panels are dealing with security issues, we should make a compact view that group them all, providing a single summary with all the data.

Proposal

Replace all the specific panels in the MR widget with a single one that groups all the security issues.

This summary can then be expanded to different sub-panels, one for each of the features listed above. Each sub-panel will have a sub-summary, containing information related only to that specific feature, and then the list of the diffs between the "base" and the "head" reports, and a link to expand the full list of vulnerabilities.

Information to be shown in each summary (main and specific ones):

  • new: number of security issues that have been introduced (head - base)
  • fixed: number of security issues that have been fixed (base - head)

Notes:

  • main summary will sum the numbers of the four sub-summaries (e.g., new will be new(SAST)+new(Dependency Scanning)+new(Container Scanning)+new(DAST)
  • specific summaries are not expandable, so expanding the main summary results in the four sub-summaries and the four lists of new/fixed items
  • showing the full list of issues for a specific feature will show the full list of vulnerabilities found (as it is now doing for SAST)
  • whitelisted vulnerabilities (for Container Scanning feature) are not considered in any count, they are just ignored

Design

merge_request_widget

image

  • Note: Complete vulnerabilities report anchor will keep existing functionality and expand report inline, changes to this functionality are deferred to https://gitlab.com/gitlab-org/gitlab-ee/issues/5322
  • Note: The order of security sections should be: SAST, Dependency Scanning, Container Scanning, DAST.
  • Note: If no head/base comparison is possible, show the complete list

Summary:

  • summary with no vulnerabilities
    • Pass icon
    • Security scanning detected no new or fixed security vulnerabilities
  • summary with only added vulnerabilities
    • Exclamation mark icon
    • Security scanning detected 1 new vulnerability
    • Security scanning detected 7 new vulnerabilities
  • summary with only fixed vulnerabilities.
    • Pass icon
    • Security scanning detected 1 fixed vulnerability
    • Security scanning detected 3 fixed vulnerabilities
  • summary with both
    • Exclamation mark icon
    • Security scanning detected 1 new vulnerability and 1 fixed vulnerability
    • Security scanning detected 7 new vulnerabilities and 3 fixed vulnerabilities
  • summary for loading
    • Spinner icon
    • Security scanning (in progress) detected 1 new vulnerability and 1 fixed vulnerability
    • Security scanning (in progress) detected 7 new vulnerabilities and 3 fixed vulnerabilities
  • summary in case all the endpoints are still loading
    • Spinner icon
    • Security scanning in progress
  • summary in case some but not all of the endpoints return an error
    • Exclamation mark icon
    • Security scanning (errors when loading results) detected 1 new vulnerability and 1 fixed vulnerability
    • Security scanning (errors when loading results) detected 7 new vulnerabilities and 3 fixed vulnerabilities
  • summary in case all the endpoints return an error
    • Exclamation mark icon
    • Security scanning failed loading any results
  • summary incase we have a mixed state of results, loading, and error
    • Exclamation mark icon
    • Security scanning (in progress, errors when loading results) detected 1 new vulnerability and 1 fixed vulnerability
    • Security scanning (in progress, errors when loading results) detected 7 new vulnerabilities and 3 fixed vulnerabilities
  • No Head/Base comparison possible for all tests
    • Exclamation mark icon
    • Security scanning detected no vulnerabilities for the source branch only
    • Security scanning detected 1 vulnerability for the source branch only
    • Security scanning detected X vulnerabilities for the source branch only

SAST:

  • loading
    • Spinner icon
    • SAST detection is in progress
  • error
    • Exclamation mark icon
    • SAST resulted in error while loading results
  • text with no vulnerabilities
    • Pass icon
    • SAST detected no new or fixed security vulnerabilities
  • text with only added vulnerabilities
    • Exclamation mark icon
    • SAST detected 1 new vulnerability
    • SAST detected 4 new vulnerabilities
  • text with only fixed vulnerabilities
    • Pass icon
    • SAST detected 1 fixed vulnerability
    • SAST detected 2 fixed vulnerabilities
  • text with both
    • Exclamation mark icon
    • SAST detected 1 new vulnerability and 1 fixed vulnerability
    • SAST detected 4 new vulnerabilities and 2 fixed vulnerabilities
  • Anchor below Show complete code vulnerabilities report
  • No Head/Base comparison possible
    • Exclamation mark icon
    • SAST detected no vulnerabilities for the source branch only
    • SAST detected 1 vulnerability for the source branch only
    • SAST detected X vulnerabilities for the source branch only

Dependency scanning:

  • loading
    • Spinner icon
    • Dependency scanning detection is in progress
  • error
    • Exclamation mark icon
    • Dependency scanning resulted in error while loading results
  • text with no vulnerabilities
    • Pass icon
    • Dependency scanning detected no new or fixed security vulnerabilities
  • text with only added vulnerabilities
    • Exclamation mark icon
    • Dependency scanning detected 1 new vulnerability
    • Dependency scanning detected 4 new vulnerabilities
  • text with only fixed vulnerabilities
    • Pass icon
    • Dependency scanning detected 1 fixed vulnerability
    • Dependency scanning detected 2 fixed vulnerabilities
  • text with both
    • Exclamation mark icon
    • Dependency scanning detected 1 new vulnerability and 1 fixed vulnerability
    • Dependency scanning detected 4 new vulnerabilities and 2 fixed vulnerabilities
  • Anchor below Show complete code vulnerabilities report
  • No Head/Base comparison possible
    • Exclamation mark icon
    • Dependency scanning detected no vulnerabilities for the source branch only
    • Dependency scanning detected 1 vulnerability for the source branch only
    • Dependency scanning detected X vulnerabilities for the source branch only

Container scanning:

  • loading
    • Spinner icon
    • Container scanning detection is in progress
  • error
    • Exclamation mark icon
    • Container scanning resulted in error while loading results
  • text with no vulnerabilities
    • Pass icon
    • Container scanning detected no new or fixed security vulnerabilities
  • text with only added vulnerabilities
    • Exclamation mark icon
    • Container scanning detected 1 new vulnerability
    • Container scanning detected 2 new vulnerabilities
  • text with only fixed vulnerabilities
    • Pass icon
    • Container scanning detected 1 fixed vulnerability
    • Container scanning detected 2 fixed vulnerabilities
  • text with both
    • Exclamation mark icon
    • Container scanning detected 1 new vulnerability and 1 fixed vulnerability
    • Container scanning detected 2 new vulnerabilities and 2 fixed vulnerabilities
  • Explanation text below + link Vulnerabilities can be marked as approved. Learn more about whitelisting
  • No Head/Base comparison possible
    • Exclamation mark icon
    • Container scanning detected no vulnerabilities for the source branch only
    • Container scanning detected 1 vulnerability for the source branch only
    • Container scanning detected X vulnerabilities for the source branch only

DAST:

  • loading
    • Spinner icon
    • DAST detection is in progress
  • error
    • Exclamation mark icon
    • DAST resulted in error while loading results
  • text with no vulnerabilities
    • Pass icon
    • DAST detected no new or fixed security vulnerabilities
  • text with only added vulnerabilities
    • Exclamation mark icon
    • DAST detected 1 new vulnerability
    • DAST detected 2 new vulnerabilities
  • text with only fixed vulnerabilities
    • Pass icon
    • DAST detected 1 fixed vulnerability
    • DAST detected 2 fixed vulnerabilities
  • text with both
    • Exclamation mark icon
    • DAST detected 1 new vulnerability and 1 fixed vulnerability
    • DAST detected 2 new vulnerabilities and 2 fixed vulnerabilities
  • No Head/Base comparison possible
    • Exclamation mark icon
    • DAST detected no vulnerabilities for the source branch only
    • DAST detected 1 vulnerability for the source branch only
    • DAST detected X vulnerabilities for the source branch only
Edited by Filipa Lacerda