DESIGN: Vulnerability comment enhancements

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem to solve

Users should be able to have threaded discussions in GitLab Vulnerabilities. These discussions are integral to the triage process and confirming a true positive or dismissing a vulnerability with proof. Currently, users have to create an issue from a vulnerability in order to get more functionality (commenting, labels, assignees), which has these limitations (from #415751):

  • The discussion around triage and the approach to mitigating the vulnerability is invisible to someone viewing the vulnerability itself
  • Strict naming or process rules are required to make it clear which linked issue is being used to track discussion of a vulnerability, triage, impact and possible mitigation and resolution
  • Vulnerability tracking issues can pollute engineering planning tools in GitLab and generally pollute an engineering backlog, when no engineering work may be required for a specific vulnerability
  • Issues are perfectly suited to modelling engineering work related to vulnerabilities, as modelling engineering work is their intended purpose, however using them outside of their intended purpose creates an additional level of organizational abstraction above the goal of managing a vulnerability

User experience goal

Users should be able to collaborate within a vulnerability. Users should be able to provide justification by way of media, rich text comments, etc, as to why a vulnerability status was changed.

Proposal

MVC

Allow users to add rich text comments without changing the status of a vulnerability

  • Implement the commenting functionality to Vulnerabilities
  • Implement the ability to start a discussion from a comment
  • Implement the ability to ping someone else in the comment (thereby sending the pinged user an email and ToDo)
  • Allow users to have a threaded discussion (reply to comments) from a status change
  • Fully formatted comments, attachments, etc. (same as in issues)

Post-MVC

  • Labels
  • Assignees
  • Milestone and/or due date
  • Notifications when new vulnerabilities are opened and closed in the same fashion as issues (either via Todos or email)
  • Issue creation from a vulnerability is shown as a Vulnerability and Issue system note
  • Issue closed is shown as a Vulnerability system note
  • There is a link between the vulnerability and an issue on the issue and on the vulnerability
Edited by 🤖 GitLab Bot 🤖