Skip to content

Allow dismissal reason and comment for bulk vulnerability status updates

Lorenz van Herwaarden requested to merge status-filter-dismissal-reasons into master

What does this MR do and why?

Relates to #408366 (closed)

For the

  1. project vulnerability report
  2. group vulnerability report
  3. instance vulnerability report

When the feature flag dismissal_reason is enabled:

  1. if the dismiss status is selected, a dismissal reason is required
  2. a comment can be added (this is required for the dismissed status)

Other changes (irrelevant of the feature flag), to be more in line with the designs provided:

  1. cancel and change status buttons are always visible
    1. handy to have cancel available even before selecting status to be able to clear the selected state
    2. change status button is visible but disabled. Only becomes enables once necessary inputs are provided
  2. instead of a card design, a similar grey background and border are used as the filters above
  3. Switch from deprecated GlDropdown to GlCollapsibleListbox component

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2023-05-05_at_09.01.10 Screenshot_2023-05-04_at_19.36.10
Screenshot_2023-05-05_at_09.01.16 Screenshot_2023-05-08_at_10.10.42
Screenshot_2023-05-05_at_08.59.34 Screenshot_2023-05-04_at_19.38.28

Provide comment:

Screenshot_2023-05-04_at_19.36.53

Provide dismissal reason:

Screenshot_2023-05-04_at_19.37.18

Provide dismissal reason and comment:

Screenshot_2023-05-04_at_19.38.03

How to set up and validate locally

Run tests

yarn jest ee/spec/frontend/security_dashboard/components/shared/vulnerability_report/selection_summary_spec.js

yarn jest ee/spec/frontend/security_dashboard/components/pipeline/pipeline_security_dashboard_spec.js

UI

Prerequisites

  1. You'll need an EE license
  2. You'll need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run a pipeline on master

For projects, groups, and instances vulnerability report:

  1. go to vulnerability report
  2. select multiple vulnerabilities
  3. validate that cancel button and change status button is visible immediately (change status is disabled)
  4. select any status but dismiss
    1. validate that a comment form input appears
    2. validate that change status button is enabled
    3. add a comment (if you want)
    4. click change status button and works as before
  5. select dismiss status
    1. validate that a new listbox to select dismissal reason and comment form input appear
    2. select any dismissal reason
    3. add a comment and validate that change status button is only now enabled
    4. click change status and works as before

Go to the details page of a vulnerability you just dismissed with a dismissal reason and validate that the dismissal reason is indeed applied. The comment is not yet shown, but this will be handled in another issue.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Lorenz van Herwaarden

Merge request reports