Replace vulnerability findings list with vulnerabilities on the group security dashboard
Problem to solve
The group security dashboard currently displays a list of vulnerability findings. Vulnerabilities are a higher order concept that will allow users to better understand the state of a vulnerability and take action on it. This transition will also fix some confusing issues with the findings list (see issues linked below).
Additionally, the underlying data model for findings is complex and results in slow querying. The data model for vulnerabilities should improve the load time of the list.
Intended users
Proposal
Replace the vulnerability findings list with a list of vulnerabilities, using a new vulnerabilities
field on the GraphQL GroupType
that returns the vulnerabilities for all projects in a group. The new field should accept any of the filters that already exist on the dashboard.
Remove the findings popup from the new list and link to the vulnerability's detail page.
GraphQL data structure
{
query {
group(fullPath: "my-group") {
vulnerabilities(
severities: [VulnerabilitySeverityEnum],
confidences: [VulnerabilityConfidenceEnum],
reportTypes: [VulnerabilityReportTypeEnum],
projectIds: ["graphql-project-ID"]
) {
nodes {
id
title
description
state # VulnerabilitiesStateEnum
severity # VulnerabilitiesSeverityEnum
reportType # VulnerabilitiesReportTypeEnum
confidence # VulnerabilitiesConfidenceEnum
vulnerabilityPath
location
project {
... # any ProjectType fields
}
}
}
}
}
}
Development plan
-
backend Complete #207437 (closed) -
backend Add vulnerabilities
field toGroupType
and filtering by project toVulnerabilitiesResolver
!27944 (merged)
Permissions and Security
The vulnerabilities
field should have the same permissions scheme as the group security dashboard.
Documentation
-
Determine whether any screenshots or information in the group security dashboard docs need to be updated.
What does success look like, and how can we measure that?
-
No more timeouts from the group dashboard vulnerability list feature -
EXPLAIN
plan for new endpoint shows significantly better performance
What is the type of buyer?
Links / references
1st class vulnerabilities: #13561 (closed)
Issues that will be fixed (for the group dashboard):
#35569 (closed)
#35182 (closed)
#35847 (closed)