Add vulnerabilities counter to left menu
Proposal
Projects vulnerabilities are only available under the Security & Compliance
-> Vulnerability Report
left menu. Unless users decide by themselves to reach out to this page, there's nothing drawing attention on the security posture of a project (reminder that we currently don't have any notification system). Projects Maintainers have to set reminders to check these pages, which becomes tedious as the number of projects grows. Instead, there should be a summary in the left menu, so that Users have an overview of the situation.
This could be achieved by bringing numbers to the left menu, like we do for Issues and Merge Requests:
This number should be configurable (Critical, Critical + High, ...) and defaults to the number of Critical findings.
A hover would give more details, like
but more condensed of course.
This should really help with the triaging of vulnerabilities by everyone having access to Security & Compliance
.
Requirements
Group-level
- Group owners can configure the severity level(s) that are used to calculate and display the menu summary counts.
- Group-level configurations are applied to all child projects beneath the group, including in any sub-groups of all depths.
- Group-level counts default to showing
Critical
only if not otherwise set. - A sub-group can be configured independently from its parent Group or any other ancestor Group such that:
- Sub-group configurations will override any other configuration set "above it" and will applied to all of its child projects, including those in any further sub-groups of all depths.
- Groups that include an overriding sub-group configuration will properly reflect in their displayed counts the results from these differing configurations (see next point).
- Group-level counts will show a rollup of all the configured counts of all child projects, including those in any sub-groups of all depths. For instance, if a Group is configured to count only
Critical
but a few child projects have been separately configured to includeHigh
vulnerabilities in their respective counts, the Group count will properly include those additionalHigh
severity vulnerabilities in its total count.
Project-level
- When a project's parent Group or other ancestor Group has set a non-default configuration, the project will inherit it and display counts based on the configured severity level.
- When no group-level configuration exists, project-level counts default to showing
Critical
if not otherwise set. - Project owners can configure the severity level(s) that are used to calculate and display the menu summary counts.
- Configuring a project's severity levels will override any group-level configuration set above it.
Work breakdown
Implementing all of the above requirements will be a significant effort. So that we can take an iterative approach and not build more than we need before it is needed, here is a proposed sequence of how the work can be divided. Note that there may be smaller increments possible within each of these steps:
- Show count "badges" only for projects counting only
Critical
vulnerabilities. Not configurable. - Show count "badges" at the Group level that rolls up the project counts for
Critical
only. Not configurable at the group or project level. - Add group-level configuration for severities which also implements downward inheritance to projects.
- Add configuration to projects that can override those inherited from group-level; group-level counts reflect any project-level overrides.
/cc @andyvolpe following our last conversation /cc @matt_wilson @thiagocsf FYI