Discovery - Add triage list to group and project security dashboards
Background
Today we show a flat list of vulnerabilities that could be in different states, Dismissed, Issue Created, MR Created, Active (no vulnerability action taken yet). This makes parsing the list difficult since the user has to differentiate these different stats from vulnerabilities that have yet to have an action applied.
Proposal
Create a separate list for Triaged vulnerabilities. For the MVC we can detect if an issue or MR has been created from a vulnerability and give the user the ability to move these vulnerabilities to a separate list called Triaged. This helps focus the list to only vulnerabilities that need attention. Dismissed vulnerabilities will go in their own separate list, further focusing the list.
-
We can do this at the group level first and apply it to the project level once the UX has been aligned from this issue: (https://gitlab.com/gitlab-org/gitlab-ee/issues/7710)
-
Vulnerabilities that are triaged should be tagged as such and persisted across experiences. For example, If I move a vulnerability to the triaged list at the project level, it should also move at the group level and the other way around.
-
Knowing a vulnerability has been tagged would also be beneficial in the security report views and in the MR widget. We should keep this in mind when considering this proposal.
User
Persona: Security Analyst As a user, I want the ability to move vulnerabilities that have Issues or MRs associated with them to a separate list, so that I can focus on vulnerabilities that need my attention.