Collaborative remediation
Problem to solve
We want to help developers remediate vulnerabilities.
Target audience
Sasha, the Software Developer, would be happy to have this feature.
Further details
While we start to provide auto-remediation for our users (https://gitlab.com/gitlab-org/gitlab-ee/issues/3710), many cases won't be covered because we don't have the ability (yet) to offer patches for complex vulnerabilities. This is especially true for SAST, where the code has to be re-written to adapt the original code. This adaptation means we can "understand" the code, but we're not there yet.
Proposal
If vulnerabilities are first-class objects in GitLab (https://gitlab.com/gitlab-org/gitlab-ee/issues/8493), we can follow the relations between:
an Identifier -> a Vulnerability -> A Merge Request
GitLab is full of opensource projects, we must leverage that data. By showing Sasha how the other users remediated the vulnerability, he can learn from that, and start fixing his code faster. This will make him also more confident about his current change.
What does success look like, and how can we measure that?
When Sasha browses a Vulnerability, if public projects have fixed it recently, a list of example MRs are displayed.
Links / references
/cc @bikebilly @andyvolpe