Vulnerability List enhancements step 2: Manually group multiple vulnerabilities into one
Background
As we add more 3rd-party security scanners as official integration partners, it will become more difficult for users to determine at a glance which scanner a detection came from. Additionally, after First Class Vulnerabilities released, scan results will be persistent across runs. This opens the potential for mixing same type (e.g. DAST) results from both the GitLab-provided scanners and one or more 3rd parties. We'll need a clean, clear way to let users easily manage potentially multiple scanners making the same detection.
We have done a research issue to provide insights into the proposed solution.
After that, the solution has been breakdown into several steps/issues:
- Step 1.1(#210327 (closed)): Adding the following info: Line of code, scanner name and identifier to the list view. It is a minimum step to help users understand the situation
- Step 1.2(#210327 (closed)): Update filters
- Step 2(#210333 (closed)): Enable group feature without suggestion. Grouping would be provided as a separate steps
- Step 3(#210357 (closed)): Auto-grouping with intro of features
- Step 4(#210360 (closed)): docs to explain how the bot(auto-grouping) works
- Step 5(#210361 (closed)): Enable/disable auto grouping
Problem statements
For some reasons (could be different scanners find same one, could be others), the user could like to triage different vulnerability together. View details together, create one issue, dismiss together
Design solutions:
List view:
Select more than one findings | After click group button | Expand grouped ones | |
---|---|---|---|
Design | ![]() |
![]() |
![]() |
Specs Link |
Detail view (todo):
Group because of Duplications | Group because of triage together or others | |
---|---|---|
Design | ![]() |
![]() |
Specs Link | ||
Prototyping (todo): |