Display the filename on the Security Dashboard when showing the vulnerabilities

Problem to solve

As a security analyst, it currently takes too many clicks just to find out which vulnerability was found in which file/line of code from the Security Dashboard. The dashboard shows the vulnerability, the location of the file in the project, but not the file name, nor the line number. To view that, the user has to click on the vulnerability to see the details. If the security analyst is attempting to communicate to a developer, it becomes very time consuming to identify the correct vulnerability with the correct file (since similar vulnerabilities can be found in different files).

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

As a security analyst, it currently takes too many clicks just to find out which vulnerability was found in which file/line of code from the Security Dashboard. The dashboard shows the vulnerability, the location of the file in the project, but not the file name, nor the line number. To view that, the user has to click on the vulnerability to see the details. If the security analyst is attempting to communicate to a developer, it becomes very time consuming to identify the correct vulnerability with the correct file (since similar vulnerabilities can be found in different files).

Benefits

This will further reduce the communication time between the Security Analyst and the developer.

Proposal

Current state (as of 12.3):

As shown in the screenshot, there are multiple entries for Found Spring Endpoint. There is no way to differentiate between any of these. I may have created an issue for one of them, but not the other two. Since I cannot tell from the dashboard which exact file it is in, I do not know if selecting it will be the right one that the developer and the security analyst are having a conversation about. Having the full path to the filename and the line number on the dashboard will save me from having to click on each of those vulnerabilities to find that information out

Future state (Purpose of this issue):

Modify the dashboard to also display the complete file name and code line location when displaying SAST and complete URL when displaying DAST results.

Permissions and Security

UI, API.

Documentation

https://docs.gitlab.com/ee/user/application_security/security_dashboard mush be updated according to the new change.

Testing

No risks are posed. Testing should validate that additional data is displayed on the dashboard.

What does success look like, and how can we measure that?

Saving a user for multiple extra clicks when identifying vulnerabilities means increasing efficiency and effective communications.

What is the type of buyer?

Ultimate Edition

Links / references