Consider dismissed items in security reports summary: Merge Request Widget

Description

We should probably update the counters in the Security Reports summary and headers in the MR widget to reflect the dismissed issues...

If all the remaining vulnerabilities are dismissed it doesn't sound right to show Security scanning detected 5 vulnerabilities.

Proposal

Use this language on the summary and headers in the MR Widget:

Security scanning detected X new, Y dismissed and Z fixed vulnerabilities.

Solution:

  1. Add X dismissed vulnerabilities or , X dismissed, depending on location, to the string in security reports and the MR widget.
  2. Group dismissed vulnerabilities and place them at the bottom of the lists for each report type.
  3. Follow-up with this design proposal: https://gitlab.com/gitlab-org/gitlab-ee/issues/8960 to better display dismissed vulnerabilities in the reports.

Examples:

5 vulnerabilities are found, 2 are dismissed and 1 is fixed:

MR Widget

Security scanning detected 2 new, 2 dismissed and 1 fixed vulnerability

SAST detected 2 new, 2 dismissed and 1 fixed vulnerability

Design:

Mix of dismissed, new and fixed vulnerabilities
Case1-mix-of-vuln-states
Cases:
No dismissed vulns No fixed vulns All fixed vulns
Case2-no-dismissed Case3-no-fixed Case4-no-new
Rules:

  • The list will be broken into two sections,

  • New vulnerabilities

  • Fixed vulnerabilities

  • Dismissed vulnerabilities will be moved to the bottom of either section depending on if they are ( New + dismissed) or if they are (Fixed + dismissed)

  • Only Dismissed vulnerabilities that are new will be included in the (X dismissed count)

  • New vulnerabilities are always presented in the top section of the tool (SAST, DAST, etc.,) container.

    • New vulnerabilities are always preceded with the icon regardless if they are dismissed to not.
    • New vulnerabilities that have been dismissed are always presented at the bottom of the new vulnerability list.

  • Fixed vulnerabilities are always presented in the bottom section of the tool container.

  • Fixed vulnerabilities are always preceded with the icon regardless if they are dismissed or not.

  • Fixed vulnerabilities that have been dismissed are always presented at the bottom of the fixed vulnerability list.

  • Dismissed vulnerabilities that have been fixed will be counted along with the other fixed vulnerabilities and not included in the (X dismissed) count.

Sketch measure previews

Edited by Andy Volpe