Group-level Exportable Security Reports MVC
Problem to solve
Users are unable to effectively share the results of our security reports outside GitLab. They need to provide these reports to their managers, compliance teams, and sometimes their clients. They need a human readable format that can be printed or sent via email.
A related problem is the Group Dashboard current does not have a page title. This can lead to confusion about which of our many security-focused screens you are on as many look similar.
Intended users
Proposal
To address the lack of page title, this dashboard should now say "Group Security Dashboard" as shown in the mockups.
NOTE: This should be built on top of the new standalone vulnerability object model.
For an MVC, we will add functionality enabling the user to download a Group's security report in a CSV format. This includes:
- A button to download the report from the Group-level Security Dashboard
- Dismissible popover calling attention to the new functionality containing a link to the issue for leaving feedback (pointed to the button with a link to the feedback issue for first time view (does not reappear after dismissed))
- Generated CSV file is dynamically named such that it is easily recognizable and distinguishable from other reports. For example: "group-name_2020-01-01T14:05.csv"
- The contents of the CSV file contain vulnerabilities for all Projects in the selected group
Suggested CSV Headers: This is not all data available in the JSON security reports (and not all of this data is in the security reports) but it should be the relevant information for such a downloadable report. First part is the suggested header field name, items in parentheses are the parameter name in the JSON schema from which to pull this data:
- Project name
- Scanner Type ("category”)
- Scanner Name (“scanner”: {”name”})
- Vulnerability ("name”)
- Details (“description”)
- Additional Info (“message”)
- Severity (“severity”)
- CVE (“cve”)
- Status (not from JSON; this is vuln state like 'Confirmed', 'Dismissed', etc.)
Testing
TBD
Documentation
Document the new functionality, being sure to clearly call out:
- This is currently for Group-level Security Dashboards only
- Report is a CSV containing relevant data for ALL vulnerabilities present in default branch for all projects in the group; applying visual filters on the Security Dashboard will not yet filter corresponding vulnerabilities from the report.
- Helpful screenshots, as appropriate
Suggested location: update to existing https://docs.gitlab.com/ee/user/application_security/security_dashboard/#group-security-dashboard
What does success look like, and how can we measure that?
We have at least one customer that can take our report export and use it to satisfy a request from an internal team or one of their clients.