Skip to content

Add vulnerability report grouping to the group vulnerability report

Release notes

Users require the ability to group vulnerabilities so they can more efficiently triage vulnerabilities. With this release, users are able to group by severity, status, tool and OWASP top 10 on the group vulnerability report. This will help users better answer questions like, how many confirmed vulnerabilities do I have in this group or project? How many vulnerabilities still need to be triaged?

Intended users

User experience: Design

🎨 Design: Vulnerability groups (MVC) (#267588 - closed)

For the Vulnerability Report on the group level for development and operational vulnerabilities:

  • Users should be able to efficiently prioritize and triage vulnerabilities arranged by similar properties. - Users should be able to take action on vulnerabilities with similar properties at one time.

MVC

Group by:

  • Status
  • Severity
  • Tool
  • OWASP Top 10

Additional requirements

  • Provide a dropdown button for users to view groups of vulnerabilities with the same property.
  • Whenever a grouping is applied, the column headers are moved below the group titles.
  • If an entire group is selected and spans across pages, all vulnerabilities within the group should be selected across pages.
  • If a vulnerability applies to more than one group, it should be shown more than once. In other words, it should be included (duplicated) within every group it applies to. However, the number in the single stat should only count it once.
  • If there are vulnerabilities that don't fall into any of the groupings (e.g. OWASP Top 10 and CWE Top 25), there should be a Non-{group_name} group at the end of the list.

Performance considerations

Please consider how performance will be addressed before implementing this issue. Customers have reporting have as many or more than hundreds of top level groups and thousands of groups/sub-groups and thousands of projects.

Verification steps

The feature is enabled on https://gitlab.com/groups/gitlab-org/govern/threat-insights-demos/verification-projects/-/security/vulnerabilities. Test the Group By button. It's expected that:

  • Status, Severity and Tool options are available
  • Selecting any of these values should group the report
  • Next to each group, there should be counts of how many vulnerabilities there are
Edited by Savas Vedova