Project-level Exportable Security Reports MVC
Problem to solve
Users are unable to effectively share the results of our security reports outside GitLab. They need to provide these reports to their managers, compliance teams, and sometimes their clients. They need a human readable format that can be printed or sent via email.
Intended users
Proposal
NOTE: This should be built on top of the new standalone vulnerability object model.
For an MVC, we will add functionality enabling the user to download a Project's security report in a CSV format. This includes:
- A button to download the report from the Project-level Security Dashboard
- Dismissible popover calling attention to the new functionality containing a link to the issue for leaving feedback (pointed to the button with a link to the feedback issue for first time view (does not reappear after dismissed))
- Generated CSV file is dynamically named such that it is easily recognizable and distinguishable from other reports. For example: "project-name_2020-01-01T14:05.csv"
Suggested CSV Headers: This is not all data available in the JSON security reports but it should be the relevant information for such a report. First part is the suggested header field name, item in parentheses is the parameter name in the JSON schema from which to pull this data:
- Scanner Type ("category”)
- Scanner Name (“scanner”: {”name”})
- Vulnerability ("name”)
- Details (“description”)
- Additional Info (“message”)
- Severity (“severity”)
- CVE (“cve”)
- Status (not from JSON; this is vuln state like 'Confirmed', 'Dismissed', etc.)
Testing
TBD
Documentation
Document the new functionality, being sure to clearly call out:
- This is currently for Project-level Security Dashboards only
- Report is a CSV containing relevant data for ALL vulnerabilities present in default branch; applying visual filters on the Security Dashboard will not yet filter corresponding vulnerabilities from the report.
- Helpful screenshots, as appropriate
Suggested location: update to existing https://docs.gitlab.com/ee/user/application_security/security_dashboard/#project-security-dashboard
What does success look like, and how can we measure that?
We have at least one customer that can take our report export and use it to satisfy a request from an internal team or one of their clients.
What is the type of buyer?
cc @matt_wilson @chloe @cbazan @plafoucriere @stkerr @NicoleSchwartz