DESIGN: Limit number of entries in security MR widget
Why are we doing this work
The data coming from the backend to the MR security widget is not paginated.
That means the server can try to serialize thousands of added or fixed vulnerabilities which can cause timeout errors.
We want to return a limited number of added and fixed vulnerabilities along with the total numbers.
Proposal
- Show a limited range (1 => x) of vulnerabilities in the MR widget, ordered descending by severity.
- Leverage the pipeline report to display ALL vulnerabilities as a backstop for the limited range presented in the MR Widget.
Logic
- MR report displays
<range_type>:{vulns 1 => x}
- Pipeline report displays the
full_results_range:{vulns 1 => n}
.
Definitions:
-
x
= our predefined limit of vulns to display -
n
= All vulns in the default_branch + All vulns in the feature_branch -
<range_type>
= in the MR report, either:-
default_range
= all vulnerabilities, [when vuln-check is not enabled] -
user_defined_range
: only vulnerabilities that violate the vuln-check rule [when vuln-check is enabled]
-
-
<range_type>
= in the Pipeline report only:-
full_results_range
=1 => n
-
Behavior:
- Users can change
range_type
fromdefault_range
touser_defined_range
in the MR by implementing a vuln-check rule, but the number of vulns displayed is still limited tox
and displayed in severity order (Critical to Info). -
{vulns 1 => x}
are displayed in severity order (Critical to Info) untilx
is met. -
{vulns 1 => n}
are displayed in severity order (Critical to Info) with no limitx = n
Relevant links
- Originally reported in: #329436 (comment 661041324)
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Edited by Andy Volpe