Replace vulnerability findings list with vulnerabilities on the project security dashboard

Problem to solve

The project security dashboard currently displays a list of vulnerability findings. Vulnerabilities are a higher order concept that will allow users to better understand the state of a vulnerability and take action on it. This transition will also fix some confusing issues with the findings list (see issues linked below).

Additionally, the underlying data model for findings is complex and results in slow querying. The data model for vulnerabilities should improve the load time of the list.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Proposal

Replace the vulnerability findings list with a list of vulnerabilities, using data from a vulnerabilities field on ProjectType in our GraphQL API. That field should accept any of the filters that already exist on the dashboard.

Remove the findings popup from the new list and link to the vulnerability's detail page.

GraphQL data structure

{
  query {
    project(fullPath: "my-user/my-project") {
      vulnerabilities(
        severities: [VulnerabilitySeverityEnum],
        confidences: [VulnerabilityConfidenceEnum],
        reportTypes: [VulnerabilityReportTypeEnum]
       ) {
        nodes {
          id
          title
          description
          state  # VulnerabilitiesStateEnum
          severity  # VulnerabilitiesSeverityEnum
          reportType  # VulnerabilitiesReportTypeEnum
          confidence  # VulnerabilitiesConfidenceEnum
          vulnerabilityPath
          location
        }
      }
    }
  }
}

Development plan

• Add filtering to VulnerabilitiesFinder !26046 (merged)
• Add VulnerabilityType and supporting types to GraphQL !26136 (merged)
• Add filtering to VulnerabilitiesResolver !26956 (merged)
• Add a vulnerabilities field to ProjectType !26136 (merged)

Permissions and Security

GraphQL should have the same permissions scheme as the project security dashboard.

Documentation

• Determine whether any screenshots or information in the project security dashboard docs need to be updated.

What does success look like, and how can we measure that?

• No more timeouts from the project dashboard vulnerability list feature
• EXPLAIN plan for new endpoint shows significantly better performance

What is the type of buyer?

GitLab Ultimate

Links / references

1st class vulnerabilities: #13561 (closed)

Issues that will be fixed (for the project dashboard):
#35569 (closed)
#35182 (closed)
#35847 (closed)