DESIGN: Support To-Dos in vulnerability details
Release notes
Problem to solve
You can @ mention a user in a comment on a vulnerability object and that user will be given a To-Do item just like happens with an Issue, MR, etc. While the vulnerability mention shows up in the user's To-Do List
, there is not currently a way to mark the To-Do as complete from the vulnerability details page. The user must instead mark it Done from the To-Do List page. This is inefficient and confusing as all other To-Do items can be resolved on the referenced page.
User experience goal
I should be able to click on a vulnerability item in my To-Do list, be taken to that vulnerability's details, and see an option to mark the To-Do as done. The experience should be very similar to that with Issues, MRs, etc.
Proposal
Consider adding a Mark as Done
button to vulnerability details page. It may make sense to also add the corresponding Add a to do
button so that I can also mark for myself vulnerabilities I want to follow up on.
Further details
What should the behavior be if @ mentioning someone from a finding in the MR or pipeline security tab? Do we take the user to the correct MR or pipeline security tab and automatically open the modal of the finding in which they were mentioned?
Since findings aren't permanent, we need to account for a To-Do reference outliving the referenced finding. We don't want users to end up with To-Do items that they can't remove. Having to manually remove them from their To-Do List in this case is acceptable
Permissions and Security
Documentation
Update the relevant screenshots and text:
- https://docs.gitlab.com/ee/user/application_security/security_dashboard/index.html#vulnerability-report
- https://docs.gitlab.com/ee/user/application_security/vulnerabilities/
- https://docs.gitlab.com/ee/user/application_security/index.html