Remove vulnerabilities count from pipelines' security tab
Original title: Keep vulnerability count static in pipeline security dashboard
This is a follow-up from https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/15682.
The pipeline security dashboard displays the total number of vulnerabilities in the Security
tab. Whenever the user filters the list of vulnerabilities, the new filtered total is set in the tab's badge count.
The tab's badge count should always display the total number of vulnerabilities, disregarding any filtering applied by the dashboard.
The reason for this is that the implementation uses the X-Total
header from the vulnerabilities API to set the total count, which changes as the filtering in the dashboard changes.
Before filtering | After filtering |
---|---|
![]() |
![]() |
Possible solutions:
- A: Include the total, unfiltered count in every request, somehow, and use that.
- B: Only update the badge count on the first request.
- C: Send an initial, explicitly-unfiltered request on page load to ensure the total count is received, and only use that.
Solution:
Remove the counts from the pipeline tab. We will do this for a few reasons:
- The security tab already has binary logic: when a vulnerabilities are detected, we show the tab, and when vulnerabilities are not detected the tab is no available.
- Total vulnerability count is not a metric that is helpful to the user. 1 Critical + 19 Low = 20 vulnerabilities and likewise 19 Critical + 1 Low = 20 vulnerabilities. Thus, total vulnerability count is not a good indicator of the user's security risk within a pipeline.
Note that we may want similar behaviour - i.e., displaying the total, unfiltered number of vulnerabilities, even when filters are applied - wherever we use the security dashboard (project/group/pipeline/instance/MR views).
cc @andyvolpe