Instance-level Exportable Security Reports MVC

Problem to solve

Users are unable to effectively share the results of our security reports outside GitLab. They need to provide these reports to their managers, compliance teams, and sometimes their clients. They need a human readable format that can be printed or sent via email.

Intended users

• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Proposal

NOTE: This should be built on top of the new standalone vulnerability object model.

For an MVC, we will add functionality enabling the user to download an Instance's security report in a CSV format. This includes:

• A button to download the report from the Instance-level Security Dashboard
• Dismissible popover calling attention to the new functionality containing a link to the issue for leaving feedback (pointed to the button with a link to the feedback issue for first time view (does not reappear after dismissed))
• Generated CSV file is dynamically named such that it is easily recognizable and distinguishable from other reports. For example: "instance-name_2020-01-01T14:05.csv"
• The contents of the CSV file will only include projects added to/displayed on the Instance-level dashboard.

Suggested CSV Headers: This is not all data available in the JSON security reports (and not all of this data is in the security reports) but it should be the relevant information for such a downloadable report. First part is the suggested header field name, items in parentheses are the parameter name in the JSON schema from which to pull this data:

• Group name
• Project name
• Scanner Type ("category”)
• Scanner Name (“scanner”: {”name”})
• Vulnerability ("name”)
• Details (“description”)
• Additional Info (“message”)
• Severity (“severity”)
• CVE (“cve”)
• Status (not from JSON; this is vuln state like 'Confirmed', 'Dismissed', etc.)

Testing

TBD

Documentation

Document the new functionality, being sure to clearly call out:

1. This is for the Instance-level Security Dashboard
2. Report is a CSV containing relevant data for ALL vulnerabilities present in default branch for all projects displayed on the Instance Security Dashboard; applying visual filters on the Instance Security Dashboard will not yet filter corresponding vulnerabilities from the report.
3. Helpful screenshots, as appropriate

Suggested location: update to existing https://docs.gitlab.com/ee/user/application_security/security_dashboard/#instance-security-dashboard

What does success look like, and how can we measure that?

We have at least one customer that can take our report export and use it to satisfy a request from an internal team or one of their clients.

What is the type of buyer?

GitLab Ultimate