Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / UX Team / 31 Jul 2019
GitLab / UX Team / 31 Jul 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: UX Experience Baseline, Q2 2019: Interacting with vulnerabilities in the MR

Description

Stage: Secure

Experience: Interacting with vulnerabilities in the MR

Job to be done: When committing changes to my project, I want to be made aware if I am adding risk through vulnerable code, so that I know my changes can be merged without increasing the risk of my project.

Evaluation: https://gitlab.com/gitlab-org/gitlab-design/issues/400

Recommendations: https://gitlab.com/gitlab-org/gitlab-design/issues/479

Link to issue: https://gitlab.com/gitlab-org/gitlab-design/issues/400

Link to Experience Baselines and Recommendations documentation: https://about.gitlab.com/handbook/engineering/ux/experience-baseline-recommendations/

A

Everyone welcome to another experience baseline video. My name is Andy I'm a product designer for the secure stage and I'll be reviewing the experience managing vulnerabilities detected when requests before we dive in I'll. Give you a brief overview of the baseline initiative. First, we start by creating a job to be done in this case. It is when committing changes to my project. I want to be made aware if I'm adding risk through vulnerable code, that I know my changes can be merged without increasing the risk of my project.

A

The next thing we would do is document the experience and while we're doing that, where it would be giving emotional grades, so we would either give a positive, neutral or negative to each of the tasks that are included within our job to be done once we're done. Giving emotional grades will then give letter grades. Based on the frustration, we may have experienced our task completion and steps to accomplish a task.

A

So how about we go? Look at the experience?

A

Okay, so we find ourselves here in the M R for time purposes, I run a pipeline with the commits, and now our first task is really to begin understanding. If there's any vulnerabilities in this merge request so right away, I do see them it's good. They make it stand out. I think they could whole line could use a little bit of treatment.

A

It seems like a lot to read so and I wonder if we even need to show dismissed vulnerabilities here, because they've kind of been deemed as false positives or won't fix by the organization, so yeah I think one thing to do.

A

They really think about how we're showing new new vulnerabilities and how many there are so if I'm, the user now the next thing I would do is I would probably expand this to see what vulnerabilities are, what and then I see sassed Pierce s, vulnerabilities and I'm kind of just hit by a wall of text. Here it's not not a very easy wish to parse and that's separated by the type of scanning. That's been done.

A

Gas containers handing up upwards and I wonder if that's the proper way to organize this list, because we have a medium vulnerability here. But within this higher list here which inked prominence, we had low power ability. So I could question that. But right now, if I was a user and find this kind of hard to use. So what I would do is I would go on over and see the full report let's go and do that.

A

So right now I see it's kind of same separated in that column in the pipeline. Basically just the pipeline view jobs and licenses here. So maybe, if I expand this yeah I get I get another scrolling list. So this is basically the the same thing in the mr just a tiny bit different layout, very marginally different, so I would be kind of frustrated mm, easier and I came here from them are expecting a different list or a better experience.

A

So I would probably close this and they go back.

A

So that said now I'm back in this list, because there's really no difference. You know I start reading. Some of these vulnerabilities and I see that there's all these X's they seem very redundant, but I do know that we do have checks green checks when there are fixed vulnerabilities found in the pipeline, but I wonder if there's a better way to communicate this or eliminate some redundancies. Another thing I see here is a the severity label and the confidence label. There was the only thing that denotes that this is confidence. Is that parentheses here?

A

So these need some treatments or some columns or some way to identify these as severity and as confidence, and then, when you start looking at the vulnerability, so here's the title, it's a link and then we have a file. So I wonder why you know we would want to show a file here when I would expect to see the file and the details.

A

So if I go ahead and open it up, unfortunately does open in a modal, so you imagine having to open up words: 65 modal's, you had to that'd, be pretty rough, so thinking, that's just not a good experience and the informations laid out pretty well. You know some people might not know what finds security bugs, so they might want I want to click on it, investigate it, and then you know we have some ambiguous like class and method I'm, not sure if that's adding any value here and then we have.

A

This issue has been created for this vulnerability, so we didn't didn't show that in the list, so this this vulnerability has already kind of been being investigated. They're being looked at so I would I'd be pretty annoyed if I was a user and I was clicking all these vulnerabilities that he'll these issues.

A

So, let's find one that doesn't okay, great and the next thing I would do is I. Could I could take action and create an issue or dismiss it? Let's take the route of creating an issue.

A

And it takes me away, but the issue has been created, so that's interesting, I wish I would have just gotten a little notification in the dashboard and the Mr.

A

Instead I've been taken away from the page, it would been nice to know. Like you know, issue has been created, or maybe it gives me a way to edit it right from there as opposed to being taken away because I'm not done yet I have to get the merge request emerge. So I now had to go back.

A

And going back yep the list collapses and if I was somewhere in the middle list, I've lost my place and with no indication that an issue has been created. That might be the more of a problem and if we were to say want to remediate this by just going right to the file, we can certainly do that and at 4:04 word I'm wondering if that could just be an error in the test here. So let's try another file there we go so that's nice. It highlights the line.

A

It takes me right to the file something weirds happening here. This actually could be a bug or just could be how I've done this commit, but it does not. Let me edit this file, so if this was something that's actually happening, that wouldn't be a really good experience, because I can't just edit and commit it.

A

The same branch I'm on, unfortunately, cannot edit files branch, so I wish it would be a little more clear or I'm, not sure why we're taking users here they can't actually make a change so that again leads to a pretty poor experience, and you know it gets pretty hard to try to rather be remediated. All these looks some of the broken experience. So overall I'd have to give this experience a D. It is presentable. Does it does work, but unfortunately it works with high frustration and probably some workaround.

A

So a lot of a lot of work needs to be done to explore some of these problems. So that's it for base lining the security features in omar's have a good one.