Design: Edit a manually created vulnerability
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Users can manually create vulnerability records directly via API or by inputting the information into a form in GitLab. However, there is not yet a way to edit or update this information. And because you cannot delete vulnerability records, only mark them as resolved, this makes it very cumbersome to update such a record or otherwise correct any information as the user has no choice but to start over and create a new record. We will remedy this limitation by adding the ability to edit vulnerability records that were user-created.
Proposal
Provide users with a way to edit a vulnerability and understand the changes between versions.
User experience
Editing a vulnerability
When a user clicks the edit button, they will be taken to the same page used to submit the vulnerability, populated with the vulnerability details and metadata.
Display activity history
Activity history to display in the vulnerability details page when a manually created vulnerability has been edited:
Use case: changing field:values
When a user changes a variable to another variable while editing a manually created vulnerability and saves their changes.
Fields: Detection Method, Severity, Identifier
- String:
<user>changed [field] from [value] to [value] timestamp - Example: Michael Scott
@greatscottchanged severity from high to critical 2 days ago - Example: Michael Scott
@greatscottchanged detection method from code review to external report 2 days ago - Example: Michael Scott
@greatscottchanged identifier from CWE-123 to CWE-321 2 days ago
Use case: changing markdown data
When a user changes a markdown field while editing a manually created vulnerability and saves their changes.
Fields: Name, Description, Solution. (excluded evidence type_markdown for MVC)
- String:
<user>Changed the [field] timestamp[compare with previous version](link) - Example: Michael Scott
@greatscottchanged the name 2 days ago compare with previous version - Example: Michael Scott
@greatscottchanged the description 2 days ago compare with previous version - Example: Michael Scott
@greatscottchanged the solution 2 days ago compare with previous version
Use case: adding/removing field:data
When a user adds/removes a [field] [value] while editing a manually created vulnerability and saves their changes.
Identifiers, Evidence (excluding type=markdown)
- String: Added [field] [value] • timestamp
- Example: Michael Scott
@greatscottadded identifier CWE-123 2 days ago - String: Removed [key:value] • timestamp
- Example: Michael Scott
@greatscottremoved identifier CWE-123 2 days ago