List view for scanner results including 3rd parties
Problem to solve
As we add more 3rd-party security scanners as official integration partners, it will become more difficult for users to determine at a glance which scanner a detection came from. Additionally, after First Class Vulnerabilities released, scan results will be persistent across runs. This opens the potential for mixing same type (e.g. DAST) results from both the GitLab-provided scanners and one or more 3rd parties. We'll need a clean, clear way to let users easily manage potentially multiple scanners making the same detection.
Intended users
Further details
Research
To make it easier for user to determine at a glance which scanner a detection came from and easily manage potentially multiple scanners making the same detection. There is 3 Steps proposal:
- MVC: list with additional info columns: scanner and identifier
- Manual grouping with GitLab hints
- Auto grouping by GitLab
ux-research#680 (closed)
Research issue link:Research result highlight
- It is difficult to pay attention the same vulnerabilities from different scanners on a normal list view (sorted by severity)
- After moderator point out the similar ones, Line of code, scanner name and identifier helps users realised what has happened
-
Grouping feature received a positive response from all testing users.
- Group is a good way to deal with the situation of duplicated findings from multi-scanners
- Interaction is easy to use: majority notice "arrow icon" to expand
- Manual Grouping is understood by most people
-
Auto-grouping feature is preferred by all users compare to Manual grouping
- All user's motivation to use this feature is to save time
- All user have a tendency to trust the bot after they try it out or understand how the bot works
- Some user would like to understand/edit the bot
Design decision - steps break down
- Step 1.1(#210327 (closed)): Adding the following info: Line of code, scanner name and identifier to the list view. It is a minimum step to help users understand the situation
- Step 1.2(#210327 (closed)): Update filters
- Step 2(#210333 (closed)): Enable group feature without suggestion. Grouping would be provided as a separate steps
- Step 3(#210357 (closed)): Auto-grouping with intro of features
- Step 4(#210360 (closed)): docs to explain how the bot(auto-grouping) works
- Step 5(#210361 (closed)): Enable/disable auto grouping
Future iterations
- Pre-select similar vulnerabilities for the first time when gitlab detect similar vulnerabilities after user enable 3rd party scans
- Give user option to group them
- Give user option to ungroup them
Permissions and Security
Documentation
This new functionality will need updated documentation included screenshots. Be sure to call out new behaviors including
- one
- two
- three