Skip to content

Improved visualization of SAST results in MR widget

Description

SAST (https://gitlab.com/gitlab-org/gitlab-ee/issues/3723) adds security checks to the source code, and then are showed in the MR widget (https://gitlab.com/gitlab-org/gitlab-ee/issues/3775).

Instead of showing the full list of security warnings (that can be related to new code changes, or just to the "original" code), we should be able to show both what's related to the specific MR, and what is the full status.

It will be marked as "new" each item that is not present in the latest available SAST report in the target branch, like we do for Code Quality.

Proposal

Implement an improved view for the SAST report.

The first expansion of the list shows only "new" items, while a second option to expand further will show the complete list of "new" and "existing" warnings.

Design

Mockups and Details

  • "Always visible report" shows only the new vulnerabilities compared to the previous report. Show all vulnerabilities can show the rest upon explicit request of the user.
  • With added and fixed vulnerabilities & a list to show them all

image

  • With nor fixed or added and a list to show them all

So no list expand anchor.. as they are shown all by default

image

  • With fixed vulnerabilities & a list to show them all

image

  • With added vulnerabilities that are exactly the same of the all list (not sure if we have a way to do this) cc @dzaporozhets
  • Does the show all list toggle back?

No :)

  • Does the show all list adds items to the list above?

Yes

empty

  • When the list is expanded with previously discovered items it lets the anchor disappear and shows them as one list:

From:

img

To:

image

Copy

  • loading
    • SAST
      • Spinner icon + in progress
  • error
    • SAST
      • Exclamation mark icon + There was an error in loading results
  • text with only added vulnerabilities
    • SAST detected 1 vulnerability
    • SAST detected 4 vulnerabilities
  • text with only fixed vulnerabilities
    • SAST detected 1 fixed vulnerability
    • SAST detected 2 fixed vulnerabilities
  • text with both
    • SAST detected 1 vulnerability and 1 fixed vulnerability
    • SAST detected 4 vulnerabilities and 2 fixed vulnerabilities
  • Anchor below Show complete code vulnerabilities report
Edited by Dimitrie Hoekstra