Vulnerability Report diff view between two branches or tags
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
Once users can switch to view a different branch or tag from the Vulnerability Report, they will have a more flexible picture of vulnerabilities at different points of a Project's development history. However, this only provides a fixed snapshot. It does not let a user easily compare the change in vulnerabilities between two branches or tags.
Intended users
User experience goal
The branch/tag diff capability should be distinct from the ability to switch the Vulnerability Report display from the default branch to another branch or tag. I can easily pick another branch or tag to compare to the branch or tag currently displayed.
The diff view clearly shows:
- vulnerabilities present in both branches/tags
- vulnerabilities present in one branch/tag but not the other
Proposal
This may not be as straightforward as leveraging some of our existing diff views such as in MR commits. The two branches/tags are being compared against one another, not against a target as in the MR diff view. This means, for instance, two feature branches (both with a parent of the default branch) could each introduce a distinct vulnerability. As the two feature branches do not have a source-target relationship, it would not make sense to show the vulnerabilities each being added in one branch and removed in the other. This would duplicate the vulnerabilities displayed and could be confusing to interpret.
Another challenge with our diff view is the use of red and green to communicated removed and added content, respectively. In a security context, red implies "risk" or "danger" whereas green implies "safe". Showing a vulnerability unique to one branch in green is very misleading because this is not a good or "safe" situation. The opposite is true if we used red to show absence of a vulnerability between two branches.
Given the above, we need to carefully consider how best to communicate and display the vulnerability delta between two branches or tags. We should also consider if it makes sense to allow comparing branches to tags or if it is better to limit to branch-branch and tag-tag comparisons.
Whatever the decided approach, we need to offer an API to provide this diff/compare so users can automate vulnerability delta tracking.