### Release notes Users require the ability to view vulnerabilities in groups. This will help security analysts optimize their triage tasks by utilizing bulk actions. In addition users can see how many vulnerabilities match their group; i.e. how many OWASP Top 10 vulnerabilities are there? https://docs.gitlab.com/ee/user/application_security/vulnerability_report/#group-vulnerabilities  ### Intended users * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### User experience: Design https://gitlab.com/gitlab-org/gitlab/-/issues/267588+ For the Vulnerability Report on the project _and_ group level: - Users should be able to efficiently prioritize and triage vulnerabilities arranged by similar properties. - Users should be able to take action on vulnerabilities with similar properties at one time. #### MVC Group by: - Status (estimated %"16.5", includes operational vulnerabilities tab) - Severity (estimated %"16.5", includes operational vulnerabilities tab) - Tool - OWASP Top 10 #### Post-MVC Future group by possibilities in the future (need validation): - Identifier (possible second step to group by CVE, CWE Top 25, or type e.g. XXS) - ~~Location~~ File path (possible second step to group by file or folder) - Analyzer (e.g. Brakeman for SAST) - Dismissal _type_ - Activity type Applies only to container scanning (per [comment](https://gitlab.com/gitlab-org/gitlab/-/issues/267588#note_828793104)) - Group by container name - Group by tag - Group by lock file Applies only to dependency scanning - (we'll most likely move this to the dependency list) - Group by root dependency (per [comment](https://gitlab.com/gitlab-org/gitlab/-/issues/267588#note_815914791)) - Group by introduced dependency (per [comment](https://gitlab.com/gitlab-org/gitlab/-/issues/267588#note_828793104)) - Group by vulnerable dependency (per [comment](https://gitlab.com/gitlab-org/gitlab/-/issues/267588#note_828793104)) ### Additional requirements * Provide a dropdown button for users to view groups of vulnerabilities with the same property. * Whenever a grouping is applied, the column headers are moved below the group titles. * If an entire group is selected and spans across pages, all vulnerabilities within the group should be selected across pages. * If a vulnerability applies to more than one group, it should be shown more than once. In other words, it should be included (duplicated) within every group it applies to. However, the number in the single stat should only count it once. * If there are vulnerabilities that don't fall into any of the groupings (e.g. OWASP Top 10 and CWE Top 25), there should be a `Non-{group_name}` group at the end of the list.