Vulnerability Report Results Grouping

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

This customer would like to see additional vulnerability grouping options within the Vulnerability Report. Customer feedback listed below:

• More granular tool grouping correlating to the exact scanning tool instead of the type. For instance, all SAST findings are grouped together under the SAST tool group, but there are multiple SAST scanners that Gitlab supports. Would be nice to group by the exact scanner that detected each finding - https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html#official-analyzers
• Updated OWASP Top 10 grouping correlating to the most recent report. Currently it groups using 2017 OWASP Top 10 categories, so we'd like to see the more recent 2021 references. Also the 2025 report should be released in the next few months, and that would be more ideal. Alternatively, it may be interested to have the option to group by different years of OWASP Top 10s?
• Related to the OWASP grouping, it seems like way more findings could be grouped under these categories. Maybe that's a separate issue for improving finding identifiers or updating the OWASP year. I do see there are existing identifiers related to the 2021 OWASP, like A03:2021 - Injection - https://gitlab.com/heb-engineering/teams/information-security/security-engineering-team/synthetic-testing/20240918-154840-521079-cm-web-wpengine-build-artifacts-phpcs-test/-/security/vulnerabilities/137013711
• Our most desired grouping option is by CVE / CWE so we can quickly see findings related to vulnerabilities that pop up and handle solving those. I'm not seeing an option for grouping by identifier or CVE, so we'd definitely be interested in that.

The purpose of these enhancements is to allow the customer to better prioritize the resolution of vulnerabilities and maintain the best possible security posture.