Skip to content

Design: Data retention UX

Problem to solve

We will be introducing a retention policy on GitLab vulnerabilities. This issue looks at the UX and UI requirements involved with this change.

Workflow

Information about the new retention policy:

  • The retention policy for .com users is 1 year.
  • Self-managed users have the option to configure their retention policy up to x amount of time.

After 1 year:

  1. We will export all the old vulnerabilities into some sort of file format
  2. We will store this file in object storage (this is where we store files like attachments)
  3. We will delete the old records from the database
  • Users will be able to export the old vulnerabilities if they need to access them for auditing purposes. The data included will be all relevant vulnerability metadata (state transitions, comments, linked issues, linked MRs, etc.)
  • Users are alerted or notified that vulnerability records are going to be archived. This includes a full list of what will be archived.
  • Vulnerabilities that have exceeded their retention period are removed on a monthly basis per the criteria outlined here.

After 3 years:

  • All archived vulnerabilities are permanently deleted on a rolling monthly basis.
  • Users are alerted or notified that vulnerability records are going to be deleted. This includes a full list of what will be deleted.
Engineering DRI: @minac

Design requirements

In order to communicate that a vulnerability will soon be archived:

On the Vulnerability Report...

  • Introduce an activity badge (warning variant) with the archive icon if the vulnerability will be archived within 30 (or 31?) days, with a tooltip (on cursor hover) that provides an explanation.
  • Introduce an activity filter so users can jump straight to vulnerabilities that will be archived.
  • Introduce a warning alert on the vulnerability detail page if the archive will occur within 30 days, with a link to the retention policy section of the docs.
  • If vulnerability has been deleted (removed in archives), retain the vulnerability detail page but show an empty state containing a link to the docs.

In order to access archived vulnerabilities:

On the Security configuration page -> under the Vulnerability Management tab:

  • Introduce a section on the page for archived vulnerabilities
  • Provide archives for last few years (however many we can include until archives are deleted). User can choose to download per month or full year at a time.
Edited by Becka Lippert