►
Description
Stage: Secure
Experience: Interacting with vulnerabilities in the MR
Job to be done: When committing changes to my project, I want to be made aware if I am adding risk through vulnerable code, so that I know my changes can be merged without increasing the risk of my project.
Evaluation: https://gitlab.com/gitlab-org/gitlab-design/issues/400
Recommendations: https://gitlab.com/gitlab-org/gitlab-design/issues/479
Link to issue: https://gitlab.com/gitlab-org/gitlab-design/issues/400
Link to Experience Baselines and Recommendations documentation: https://about.gitlab.com/handbook/engineering/ux/experience-baseline-recommendations/
A
Everyone
welcome
to
another
experience
baseline
video.
My
name
is
Andy
I'm
a
product
designer
for
the
secure
stage
and
I'll
be
reviewing
the
experience
managing
vulnerabilities
detected
when
requests
before
we
dive
in
I'll.
Give
you
a
brief
overview
of
the
baseline
initiative.
First,
we
start
by
creating
a
job
to
be
done
in
this
case.
It
is
when
committing
changes
to
my
project.
I
want
to
be
made
aware
if
I'm
adding
risk
through
vulnerable
code,
that
I
know
my
changes
can
be
merged
without
increasing
the
risk
of
my
project.
A
The
next
thing
we
would
do
is
document
the
experience
and
while
we're
doing
that,
where
it
would
be
giving
emotional
grades,
so
we
would
either
give
a
positive,
neutral
or
negative
to
each
of
the
tasks
that
are
included
within
our
job
to
be
done
once
we're
done.
Giving
emotional
grades
will
then
give
letter
grades.
Based
on
the
frustration,
we
may
have
experienced
our
task
completion
and
steps
to
accomplish
a
task.
A
Okay,
so
we
find
ourselves
here
in
the
M
R
for
time
purposes,
I
run
a
pipeline
with
the
commits,
and
now
our
first
task
is
really
to
begin
understanding.
If
there's
any
vulnerabilities
in
this
merge
request
so
right
away,
I
do
see
them
it's
good.
They
make
it
stand
out.
I
think
they
could
whole
line
could
use
a
little
bit
of
treatment.
A
They
really
think
about
how
we're
showing
new
new
vulnerabilities
and
how
many
there
are
so
if
I'm,
the
user
now
the
next
thing
I
would
do
is
I
would
probably
expand
this
to
see
what
vulnerabilities
are,
what
and
then
I
see
sassed
Pierce
s,
vulnerabilities
and
I'm
kind
of
just
hit
by
a
wall
of
text.
Here
it's
not
not
a
very
easy
wish
to
parse
and
that's
separated
by
the
type
of
scanning.
That's
been
done.
A
Gas
containers
handing
up
upwards
and
I
wonder
if
that's
the
proper
way
to
organize
this
list,
because
we
have
a
medium
vulnerability
here.
But
within
this
higher
list
here
which
inked
prominence,
we
had
low
power
ability.
So
I
could
question
that.
But
right
now,
if
I
was
a
user
and
find
this
kind
of
hard
to
use.
So
what
I
would
do
is
I
would
go
on
over
and
see
the
full
report
let's
go
and
do
that.
A
So
right
now
I
see
it's
kind
of
same
separated
in
that
column
in
the
pipeline.
Basically
just
the
pipeline
view
jobs
and
licenses
here.
So
maybe,
if
I
expand
this
yeah
I
get
I
get
another
scrolling
list.
So
this
is
basically
the
the
same
thing
in
the
mr
just
a
tiny
bit
different
layout,
very
marginally
different,
so
I
would
be
kind
of
frustrated
mm,
easier
and
I
came
here
from
them
are
expecting
a
different
list
or
a
better
experience.
A
So
that
said
now
I'm
back
in
this
list,
because
there's
really
no
difference.
You
know
I
start
reading.
Some
of
these
vulnerabilities
and
I
see
that
there's
all
these
X's
they
seem
very
redundant,
but
I
do
know
that
we
do
have
checks
green
checks
when
there
are
fixed
vulnerabilities
found
in
the
pipeline,
but
I
wonder
if
there's
a
better
way
to
communicate
this
or
eliminate
some
redundancies.
Another
thing
I
see
here
is
a
the
severity
label
and
the
confidence
label.
There
was
the
only
thing
that
denotes
that
this
is
confidence.
Is
that
parentheses
here?
A
So
these
need
some
treatments
or
some
columns
or
some
way
to
identify
these
as
severity
and
as
confidence,
and
then,
when
you
start
looking
at
the
vulnerability,
so
here's
the
title,
it's
a
link
and
then
we
have
a
file.
So
I
wonder
why
you
know
we
would
want
to
show
a
file
here
when
I
would
expect
to
see
the
file
and
the
details.
A
So
if
I
go
ahead
and
open
it
up,
unfortunately
does
open
in
a
modal,
so
you
imagine
having
to
open
up
words:
65
modal's,
you
had
to
that'd,
be
pretty
rough,
so
thinking,
that's
just
not
a
good
experience
and
the
informations
laid
out
pretty
well.
You
know
some
people
might
not
know
what
finds
security
bugs,
so
they
might
want
I
want
to
click
on
it,
investigate
it,
and
then
you
know
we
have
some
ambiguous
like
class
and
method
I'm,
not
sure
if
that's
adding
any
value
here
and
then
we
have.
A
This
issue
has
been
created
for
this
vulnerability,
so
we
didn't
didn't
show
that
in
the
list,
so
this
this
vulnerability
has
already
kind
of
been
being
investigated.
They're
being
looked
at
so
I
would
I'd
be
pretty
annoyed
if
I
was
a
user
and
I
was
clicking
all
these
vulnerabilities
that
he'll
these
issues.
A
A
A
And
going
back
yep
the
list
collapses
and
if
I
was
somewhere
in
the
middle
list,
I've
lost
my
place
and
with
no
indication
that
an
issue
has
been
created.
That
might
be
the
more
of
a
problem
and
if
we
were
to
say
want
to
remediate
this
by
just
going
right
to
the
file,
we
can
certainly
do
that
and
at
4:04
word
I'm
wondering
if
that
could
just
be
an
error
in
the
test
here.
So
let's
try
another
file
there
we
go
so
that's
nice.
It
highlights
the
line.
A
It
takes
me
right
to
the
file
something
weirds
happening
here.
This
actually
could
be
a
bug
or
just
could
be
how
I've
done
this
commit,
but
it
does
not.
Let
me
edit
this
file,
so
if
this
was
something
that's
actually
happening,
that
wouldn't
be
a
really
good
experience,
because
I
can't
just
edit
and
commit
it.
A
The
same
branch
I'm
on,
unfortunately,
cannot
edit
files
branch,
so
I
wish
it
would
be
a
little
more
clear
or
I'm,
not
sure
why
we're
taking
users
here
they
can't
actually
make
a
change
so
that
again
leads
to
a
pretty
poor
experience,
and
you
know
it
gets
pretty
hard
to
try
to
rather
be
remediated.
All
these
looks
some
of
the
broken
experience.
So
overall
I'd
have
to
give
this
experience
a
D.
It
is
presentable.
Does
it
does
work,
but
unfortunately
it
works
with
high
frustration
and
probably
some
workaround.