Security scanning results are misleading
Summary
When creating a MR that has security vulnerabilities, it says "scanner detected # new severity vulnerabilities". However, it's a list of vulnerabilities currently in the code base, not new vulnerabilities introduced with the MR. This is causing confusion because people think they introduced new vulnerabilities with their MR. We should remove the word new to reduce confusion.
The source file is ee/app/assets/javascripts/vue_shared/security_reports/grouped_security_reports_app.vue
.
Problem to solve
With the change introduced in #221084 (closed), the merge request now shows a highly visible warning for security vulnerabilities. However, these can sometimes be incorrectly indicated as new
even though the changed file could not have introduced them (e.g. changing CSS or markdown). This creates confusion for maintainers and reviewers who could believe by merging a minor change they are introducing new security vulnerabilities. As it stands, what is really presented is a list of all findings currently present in the branch—even if the change was not the source of introduction.
It is important that the merge widget only show clear and accurate information so that it can be trusted by authors, reviewers and maintainers. This has become worse in recent releases because of the new visual treatment which highlights vulnerabilities even more.
Further details
First reported in #217311 (closed)
Proposal
To address the immediate confusion, removing the word new
introduced in the recent change will more accurately reflect that branches contain vulnerabilities but did not necessarily introduce them. This will satisfy the core issue highlighted here.
There are other, related challenges with data quality and consistency that are not the specific problem here but do need to be addressed to improve the quality and trustworthiness of the security MR widget. These will be collected and tracked in a separate Epic.