Vulnerability List enhancements step 3: Auto-grouping vulnerabilities
Background
As we add more 3rd-party security scanners as official integration partners, it will become more difficult for users to determine at a glance which scanner a detection came from. Additionally, after First Class Vulnerabilities released, scan results will be persistent across runs. This opens the potential for mixing same type (e.g. DAST) results from both the GitLab-provided scanners and one or more 3rd parties. We'll need a clean, clear way to let users easily manage potentially multiple scanners making the same detection.
We have done a research issue to provide insights into the proposed solution.
After that, the solution has been breakdown into several steps/issues:
- Step 1.1(#210327 (closed)): Adding the following info: Line of code, scanner name and identifier to the list view. It is a minimum step to help users understand the situation
- Step 1.2(#210327 (closed)): Update filters
- Step 2(#210333 (closed)): Enable group feature without suggestion. Grouping would be provided as a separate steps
- Step 3(#210357 (closed)): Auto-grouping with intro of features
- Step 4(#210360 (closed)): docs to explain how the bot(auto-grouping) works
- Step 5(#210361 (closed)): Enable/disable auto grouping
Problem statement for issue one
When there are 3rd parties scanner integrated and Gitlab detects similar ones, in order to save the user time, we want to make it easier them to triage them.
- How do we present the auto-grouping feature to users?
- How do we let user revert it if the auto-grouping doesn't match user's wishes?
- How do we introduce the feature to the users?
Solution
Still need to refine the design:
Intro of the feature | if users do un-group | Feedbacks for ungrouping | |
---|---|---|---|
Design | |||
Specs Link |
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.