Collaborative remediation

Problem to solve

We want to help developers remediate vulnerabilities.

Target audience

Sasha, the Software Developer, would be happy to have this feature.

Further details

While we start to provide auto-remediation for our users (https://gitlab.com/gitlab-org/gitlab-ee/issues/3710), many cases won't be covered because we don't have the ability (yet) to offer patches for complex vulnerabilities. This is especially true for SAST, where the code has to be re-written to adapt the original code. This adaptation means we can "understand" the code, but we're not there yet.

Proposal

If vulnerabilities are first-class objects in GitLab (https://gitlab.com/gitlab-org/gitlab-ee/issues/8493), we can follow the relations between:

an Identifier -> a Vulnerability -> A Merge Request

GitLab is full of opensource projects, we must leverage that data. By showing Sasha how the other users remediated the vulnerability, he can learn from that, and start fixing his code faster. This will make him also more confident about his current change.

What does success look like, and how can we measure that?

When Sasha browses a Vulnerability, if public projects have fixed it recently, a list of example MRs are displayed.

Links / references

/cc @bikebilly @andyvolpe