Skip to content

Allow providing dismissal reason & comment for vulnerability bulk updates

Release Notes

When selecting one or more vulnerabilities in the vulnerability report, it's possible to change their status in bulk. This functionality should be enhanced:

  • be able to provide a dismissal reason when choosing the dismiss status (similar to vulnerability detail page)
  • add a comment (this is required for the dismissed status)

Guard behind feature flag dismissal_reason.

bulk-dismissal

design_1638990274727

Screenshot above with comment field will have 1 extra dropdown for dismissal reason.

https://docs.gitlab.com/ee/user/application_security/vulnerability_report/#change-status-of-vulnerabilities

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag: dismissal_reason

Implementation steps

  • Switch from GlDropdown to GlListbox in selection_summary.vue
  • If the dismiss status is chosen, show a new GlListbox with dismissal reasons
  • After selecting the status (also the dismissal reason if dismiss status), show a comment field
  • Mutation should include the comment provided

Verification steps

  1. Go to this verification project
  2. Select a couple of vulnerabilities
  3. Verify that cancel button and change status button is visible immediately (change status is disabled)
  4. Verify that clicking cancel button hides the selection summary and deselects the vulns you had selected
  5. Select some vulns again
  6. For any status but dismiss:
    1. select that status
    2. verify that comment input form appears
    3. verify that change status button is enabled (comment is not required)
    4. add a comment and click change status
    5. go to the detail page of any of your confirmed vulns and verify that there is a system note like "@<username> changed vulnerability status to <the-status> and the following comment: "<your-comment>" just now"
  7. For dismiss status:
    1. select dismiss status
    2. verify that dismissal reason listbox appears and change status is still disabled
    3. select a dismissal reason
    4. verify that change status is still disabled
    5. add a comment
    6. click change status
    7. go to the detail page of any of your dismissed vulns and verify that there is a system note like "@<username> changed vulnerability status to Dismissed: <the-reason> and the following comment: "<your-comment>" just now"
Edited by Alana Bellucci