Consider dismissed items in security reports summary: Merge Request Widget
Description
We should probably update the counters in the Security Reports summary and headers in the MR widget to reflect the dismissed issues...
If all the remaining vulnerabilities are dismissed it doesn't sound right to show Security scanning detected 5 vulnerabilities
.
Proposal
Use this language on the summary and headers in the MR Widget:
Security scanning detected X new, Y dismissed and Z fixed vulnerabilities.
Solution:
- Add
X dismissed vulnerabilities
or, X dismissed,
depending on location, to the string in security reports and the MR widget. - Group dismissed vulnerabilities and place them at the bottom of the lists for each report type.
- Follow-up with this design proposal: https://gitlab.com/gitlab-org/gitlab-ee/issues/8960 to better display dismissed vulnerabilities in the reports.
Examples:
5 vulnerabilities are found, 2 are dismissed and 1 is fixed:
MR Widget
Security scanning detected 2 new, 2 dismissed and 1 fixed vulnerability
SAST detected 2 new, 2 dismissed and 1 fixed vulnerability
Design:
Mix of dismissed, new and fixed vulnerabilities |
---|
Cases:
No dismissed vulns | No fixed vulns | All fixed vulns |
---|---|---|
Rules:
-
The list will be broken into two sections,
-
❌ New vulnerabilities -
✅ Fixed vulnerabilities -
Dismissed vulnerabilities will be moved to the bottom of either section depending on if they are ( New + dismissed) or if they are (Fixed + dismissed)
-
Only Dismissed vulnerabilities that are new will be included in the (X dismissed count)
-
New vulnerabilities are always presented in the top section of the tool (SAST, DAST, etc.,) container.
- New vulnerabilities are always preceded with the
❌ icon regardless if they are dismissed to not. - New vulnerabilities that have been dismissed are always presented at the bottom of the new vulnerability list.
- New vulnerabilities are always preceded with the
-
Fixed vulnerabilities are always presented in the bottom section of the tool container.
-
Fixed vulnerabilities are always preceded with the
✅ icon regardless if they are dismissed or not. -
Fixed vulnerabilities that have been dismissed are always presented at the bottom of the fixed vulnerability list.
-
Dismissed vulnerabilities that have been fixed will be counted along with the other fixed vulnerabilities and not included in the (X dismissed) count.