Skip to content

Design: [GA] Explain this vulnerability

User problem

What user problem will this solve?

GitLab surfaces vulnerabilities that contain relevant information, however, more often users aren't sure where to start. It takes time to research and synthesize information that is surfaced within the vulnerability record. Moreover it can be difficult to figure out how to fix a given vulnerability.

Solution hypothesis

Why do you believe this AI solution is a good way to solve this problem?

Users are looking to quickly understand a vulnerability so that they know what next steps to take, i.e. what code change do I need to make etc.

Assumption

What assumptions are you making about this problem and the solution?

  • The amount of information for a vulnerability can be under/overwhelming.
  • It is difficult to know where to start.
  • Not all fixes are straightforward.

Personas

What personas have this problem, who is the intended user?

  • Sasha (Software Developer) can use this feature to better understand and potentially fix vulnerability findings before she tries to merge to the default branch.
  • Sam (Security Analyst) uses this feature to quickly triage vulnerabilities and learn about specific vulnerabilities quickly.

Proposal

See design section below.

Note: All members of the team, myself included, are actively monitoring and aligning with the ongoing overlapping efforts in other stages that are using similar components related to AI functionality. The designs posted here are subject to change as these UX/ UI conversations evolve.

Potential requirements - subject to change

  • Allow users to ask followup questions in a drawer/chat format. (See this design for an example)
  • Feedback from the user helps inform the model and the next AI interaction for the user:
    • i.e. if the response is Wrong, that response is excluded in the future for that type of vulnerability.
    • or if the user inputs that the response is Helpful this informs the model for future responses.
  • CTA(s) in drawer - create issue and move info into issue description automatically, create MR, or download results
  • On vulnerability report, indicate which findings have AI results (e.g. icon in activity column and in activity filter)?

Note: When maturing from Beta to GA, please reference Quantitative measurements to move from Experiment to GA

Questions

Concerns

Unfortunately, we don't yet have the ability to ping anyone in the vulnerability object, nor do we have the ability to leave a comment without first changing the status. This will make collaboration and discussion about the AI-assisted feedback/ proposals a little bit challenging, with the workaround being that the user creates an issue from the vuln (or uses an external tool, e.g. Slack, and sends the link to the vuln). [Note: These problems will be addressed in DESIGN: Vulnerability comment enhancements.]