Replace vulnerability findings list with vulnerabilities on the instance security dashboard

Problem to solve

The instance security dashboard currently displays a list of vulnerability findings. Vulnerabilities are a higher order concept that will allow users to better understand the state of a vulnerability and take action on it. This transition will also fix some confusing issues with the findings list (see issues linked below).

Additionally, the underlying data model for findings is complex and results in slow querying. The data model for vulnerabilities should improve the load time of the list.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Proposal

Replace the vulnerability findings list with a list of vulnerabilities, using a new vulnerabilities field on the GraphQL QueryType that returns the vulnerabilities for all projects on the current user's instance security dashboard. The new field should accept any of the filters that already exist on the dashboard.

Remove the findings popup from the new list and link to the vulnerability's detail page.

GraphQL data structure

{
  query {
    vulnerabilities(
      severities: [VulnerabilitiesSeverityEnum],
      confidences: [VulnerabilitiesConfidenceEnum],
      reportTypes: [VulnerabilitiesReportTypeEnum],
      projectIds: ["graphql-project-ID"]
    ) {
      nodes {
        id
        title
        description
        state  # VulnerabilitiesStateEnum
        severity  # VulnerabilitiesSeverityEnum
        reportType  # VulnerabilitiesReportTypeEnum
        confidence  # VulnerabilitiesConfidenceEnum
        vulnerabilityPath
        location
        project {
          ...  # any fields for ProjectType
        }
      }  
    }
  }
}

Development plan

• backend Complete #207437 (closed)
• backend Add instance security dashboard vulnerabilities to QueryType !26348 (merged)

Permissions and Security

The vulnerabilities field should have the same permissions scheme as the instance security dashboard.

Documentation

• Determine whether any screenshots or information in the instance security dashboard docs need to be updated.

What does success look like, and how can we measure that?

• No more timeouts from the instance dashboard vulnerability list feature
• EXPLAIN plan for new endpoint shows significantly better performance

What is the type of buyer?

GitLab Ultimate

Links / references

1st class vulnerabilities: #13561 (closed)

Issues that will be fixed (for the instance dashboard):
#35569 (closed)
#35182 (closed)
#35847 (closed)