Follow up on dismiss vulnerability or create issue
The Dismiss vulnerability or create an issue in security reports feature was not entirely fulfilled and showed some issues that we need to address:
Missing features:
-
1. [FE] strikethrough of whole line when vulnerability is dismissed => new issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/6005 -
2. [FE/BE] Display pipeline and author of dismissal => new issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/5953 -
3. [BE] Create System Note when creating/removing a dismissal and creating an issue => new issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/5954 -
4. [FE] Put dismissed vulnerabilities at the end of the list I don't think this is possible with current FE implentation. There are actually 3 different lists instead of one in the DOM: new, fixed and all (present in both source and target branch but not new nor fixed). So if you dismiss a new
vulnerability it will go at the end of thenew
list, but it will still be displayed beforefixed
andall
. => Discuss it here
Code fix/cleanup:
-
5. [FE] Missing I18n => new issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/5909 -
6. [BE] Improve issue creation service and try to replace string generation with clean templates and/or separate classes => TODO in this issue -
7. [FE] Cleanup FE code when JSON report will be enriched with necessary properties => will be done in #5043 (closed) and other enrich XXX
issues as they are the prerequisite changes for this. -
8. [BE] Create VulnerabilityFeedback and Issue in the same transaction: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5452#note_72042715 => TODO in this issue -
9. [BE] Leverage traits to simplify tests: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5452#note_72043254 => TODO in this issue
Further improvements to be done asap:
-
Vulnerability identification:
-
11. Avoid generating fingerprint SHA1 on FE => needs #5043 (closed) and other enrich XXX
issues first. -
12. Do not use the CVE field to hold fingerprint comparison key => see https://gitlab.com/gitlab-org/gitlab-ee/issues/5678
-
-
Fix discrepancies between reports
-
13. Unlike SAST and Depedency Scanning, DAST and Container Scanning don't hide issues present in both target and source branches by default, with a 'Display all' link to show them. => should be addressed in https://gitlab.com/gitlab-org/gitlab-ee/issues/5239
-
Edited by Olivier Gonzalez