GitLab Next

Release notes

Basic vulnerability trend visualizations have long been available on Group Security Dashboards and the Instance Security Center. However, the Project Security Dashboard lacks these, making it difficult to quickly understand any project-level trends on number and type of vulnerabilities over time.

Our new vulnerability trends chart provides this needed visibility at the project level. Plus, this new chart is even more capable than the existing Group and Security Center visualizations because it is interactive. Toggle severity trend lines on or off with a single click to show just the data you want. You can also change the timeframe to see up to a year's worth of data. The trend chart is dynamic so it updates in real time to reflect your changes.

With the inclusion of this chart, you will also notice that the single-page Project Security Dashboard is now split into dedicated pages for visualizations and vulnerability lists, respectively, mirroring the Group and Instance Security Center layouts. The Vulnerability Report page contains all functionality previously under the Project Security Dashboard. The Security Dashboard page remains but will now contain the new vulnerability trends chart. Separating these features gives us a dedicated space to grow project-level security metrics and visualizations in the future.

Documentation: https://docs.gitlab.com/ee/user/application_security/security_dashboard/#project-security-dashboard

Image: vulnerability-trends

Overview

Create new metrics widgets showing vulnerabilities by severity over time (see mocks)

1. Default to showing Critical, High, and Medium vulnerability data series on; Low and Unknown are still available but user must click to toggle visibility
2. Restrict maximum time scale to a reasonable length that prevents performance concerns. If no performance concerns, make unbounded or use first vulnerability's detected date. Otherwise, ideally we can do 1 year.

Documentation

A new section on the new vulnerabilities over time chart is needed. Be sure to call out this chart is dynamic:

1. Clicking a data series in the legend will dynamically toggle on or off visibility
2. Using the zoom and scroll feature, you can adjust the time period displayed
3. Call out any upper bound determined for how far back in time you can display

Implementation Plan

• First we need to make sure that the Vulnerability Report page is complete.
• Then we can replace the current project security dashboard and include this chart. Here I'm going to quote @andyvolpe:

For the project security dashboard, we can leverage the line chart with toolbox and include the zoom and scroll as well to save us from having to implement a separate time filtering mechanism.