Docs: Clarify that SAST converts native severities to Critical/High/etc.
Problem
A customer came across the Vulnerability severity levels page and understood it to mean that this is how severities would be reported in the Ultimate UI. This is partly because the page is tagged "Ultimate" (which implies that "this is the set of severities you'll see if you use Ultimate"), when in fact you'll see Critical/High/etc.
A separate customer encountered a handbook page with the same content and came to similar conclusions.
(See Slack for one relevant conversation.)
Possible solutions
Possible changes include one or more of the following:
- Remove the content entirely
- Clarify the semantics of the page
- Correct the "Ultimate" tag on the page, or clarify that users will see converted/standardized severities everywhere (in the report and in Vulnerability Management)
Problems solved in other issues
- Separately, the content appears out-of-date even for customers looking at SAST analyzer JSON reports, since we have severity for some analyzers that are marked as lacking severity in the table.
- Updated analyzer-by-analyzer information in !78335 (merged)
- There is a handbook page with the same content
- Removed duplicate handbook page in gitlab-com/www-gitlab-com!97341 (merged) and pointed to documentation
Edited by Connor Gilbert