Vulnerability List enhancements step 1: Add additional details and update filters

Background

As we add more 3rd-party security scanners as official integration partners, it will become more difficult for users to determine at a glance which scanner a detection came from. Additionally, after First Class Vulnerabilities released, scan results will be persistent across runs. This opens the potential for mixing same type (e.g. DAST) results from both the GitLab-provided scanners and one or more 3rd parties. We'll need a clean, clear way to let users easily manage potentially multiple scanners making the same detection.

We have done a research issue to provide insights into the proposed solution.

After that, the solution has been breakdown into several steps/issues:

• Step 1.1(#210327 (closed)): Adding the following info: Line of code, scanner name and identifier to the list view. It is a minimum step to help users understand the situation
• Step 1.2(#210327 (closed)): Update filters
• Step 2(#210333 (closed)): Enable group feature without suggestion. Grouping would be provided as a separate steps
• Step 3(#210357 (closed)): Auto-grouping with intro of features
• Step 4(#210360 (closed)): docs to explain how the bot(auto-grouping) works
• Step 5(#210361 (closed)): Enable/disable auto grouping

Problem statement for issue one

When there are the same findings detected by different vulnerabilities, how we can help the user understand what's happening, they there are duplications?

Solution

Scope:

• The changes only affects Pipeline/Project dashboard only.
• After &3427 (closed) has been completed, we implement the change in group level
• After &3426 (closed) has been completed, we implement the change in instance level

Add that information to the list view:

• Line of code
• Scanner type and name
  • in the Scanner column, we only show the Scanner's name when there are multiple ones are in use. If there is not 3rd party connected, all scanners are from GitLab, we hide "GitLab", only shows "SAST".
• Identifier to the list view
  • If a vulnerability has multiple identifiers:
    • If a CVE is present, show that CVE identifier first as it should be both the most commonly recognized and most specific.
    • If no CVE, go with whatever identifier is first in the array.
    • Also show the count of other identifiers as pictured here:

General Design

Update filter

Implementation Plan

• fix scanner name (#219382 (closed))
• backend add information to GraphQL: scanner name and type, line of code, identifier(s)
  • this can all be derived from the metadata
    • scanner name: scanner->name
    • scanner type: category
    • line of code (if available): location->start_line
    • identifier(s): identifiers array
• frontend list view; add identifier column to the project-level security dashboard and pipeline security tab
  • when identifiers array > 1
    • only show one identifier
    • prefer "CVE" if it exists
    • use first identifier otherwise
• frontend for the identifier column, if there is more than one identifier, show + X more below the primary identifier - moved to #229645 (closed)
• frontend list view; add scanner column to the project-level security dashboard and pipeline security tab to show the scanner type
  • work partially done with @stkerr 's MR (!31775 (merged))
• frontend add vendor name in the scanner column
  • instead of showing partner vendor names (i.e. Gemnasium and others described in #210327 (comment 363463026)), show GitLab
• frontend for the scanner column, when the only vendor is GitLab, hide the vendor name - moved to #229651 (closed)
• frontend update scanner filter
  • Show scanner vendor alongside name
  • Dynamically add custom scanner filters that have been configured with the project and that filter for custom scanner vulnerabilities only - moved to #229661 (closed)
• frontend update docs with new screenshots/wording
• frontend list view; add identifier column to the group/instance-level security dashboards when &3426 (closed) and &3427 (closed) are completed
• frontend list view; add scanner column to the group/instance-level security dashboards when &3426 (closed) and &3427 (closed) are completed