Skip to content

UXR: dependency path shown on dependency list, object page, and merge request

placeholder to fill out, based on results from gitlab#198034 (closed)

What’s this issue all about?

In the discovery: gitlab#198034 (closed), we identified an MVC to display the top-level path of a dependency. This is the starting point to help users understand how their dependencies live within their project files and what dependencies they may be introducing into a project. Further, helping the user understand dependency location and path, will help user remediate a dependency vulnerability when detected.

Who is the target user of the feature?

Security team members and developers

What questions are you trying to answer?

  • What is the users perception of the MVC display?
  • Did the user interact with the data display and did it help them understand a dependency location (and related dependencies)?
  • Do the users understand this is displaying top level dependencies only?
  • Do users understand the source of the dependency path?
  • Does the user understand the path structure display?
Core questions
  • Is this display helpful when a user is investigating a dependency with a vulnerability?
  • What is not helpful about this and/or what is the user struggling with when learning more about a dependency?
  • Is it helpful to show all paths for all dependencies? Why?
Additional questions

Overall, we'd like to see how the user interacts with this minimal view of a dependency path. There are UI views that often show graphs and all paths available in the project - but what is the true value of these views? (with the focus on cases needing to remediate vulnerabilities)

What hypotheses and/or assumptions do you have?

  • Users will interact more with the list, when a vulnerability is detected - that is the dependency path will be a starting point to investigate.
  • User would like to see all paths related to the dependency?
  • User would find it helpful to see the display in the merge request (to get a better idea of what new dependencies are being introduced)

What decisions will you make based on the research findings?

Mostly around prioritization of where and when we display the path (list, MR, object page?). Additionally, help guide feedback about next steps to evolves the display (add full paths? show dependency chart/graph?)

What's the latest milestone that the research will still be useful to you?

...

Edited by Kyle Mann