►
Description
Andy Volpe shows an iteration of a security feature for dismissing a vulnerability with an associated comment, answers questions, and takes feedback from the UX team.
A
So
the
issue
I'm
designing
for
is
this
issue
here,
which
is
add
an
optional
reason
when
dismissing
a
vulnerability
and
a
little
background
is
that
when
you
commit
code
and
a
merge
request,
we
have
tools
in
place
to
find
any
vulnerabilities
that
we
know
of
in
that
code,
and
then
we
present
it
to
you
and
you
can
do
a
few
things
with
it.
One
is
nothing
just
let
it
happen
and
then
it'll
go
into
a
dashboard
or
a
list.
A
You
can
create
an
issue
and
then
discuss
that
vulnerability
or
you
could
take
action
to
fix.
It.
Vulnerabilities,
though,
are
not
first
class
objects
in
the
way
that
issues
are
so
issues.
You
can
do
a
lot
of
cool
stuff
with
them
they're
like
linked
across
like
em
ours.
They
can
be
closed
dynamically
when
you
have
the
M
R
and
it's
merged
and
they're,
not
very
specific.
A
It's
so
like
what
to
do
czar
either
like
to
do
they're
kind
of
just
like
an
alert,
but
then
they
kind
of
go
away
after
you
do
something
so
that
just
wanted
to
set
a
quick
stage,
because
donor
abilities
aren't
quite
there
yet
they're,
they're
still
they're
still
still
trying
to
be
first
class
subjects
where
we
actually
have
a
bunch
of
issues
open.
They
get
them
there.
A
Like
I
said
you
get
all
this
great
information
and
that's
kind
of
where
we're
at
right
now,
and
we
have
these
quick
options
that
are
dismiss
and
create
an
issue
right
from
here,
and
the
reason
why
someone
wants
to
add
and
a
reason
is
our
security
team
and
our
customers
are
saying:
well,
it's
dismissed,
but
we
want
to
know
the
circumstances
around
it.
Not
just
the
fact
that
it's
not
a
problem,
is
it
not
a
problem,
because
this
is
a
project?
A
That's
not
live
like
it's,
not
in
production,
so
we
don't
care
about
vulnerabilities
that
happen
there,
or
is
this
a
vulnerability
that
we
know
isn't
a
problem
and
it
also
helps
with
compliance
as
well.
So
I
made
a
prototype
to
walk
through
how
this
could
work?
Are
there
any
questions
before
I
dive
into
the
prototype.
B
A
The
the
thought
is,
we
don't
really
know
yet,
but
the
belief
is
and
the
data
we
have
shows
that
when
it's
dismissed
that's
kind
of
like
final,
like
we're,
okay
with
it
not
ever
being
on
dismissed,
and
if
this
let's
say
this
particular
vulnerability
was
dismissed
and
PMR.
If
we
do
another
commit
and
the
vulnerability
is
not
found
its
treated
as
fixed
in
it
is
no
longer
in
this
dashboard.
A
A
A
And
today,
when
you
dismiss
it,
the
model
just
goes
away,
and
then
it's
marked
as
dismissed
in
the
dashboard.
What
we're
proposing
is
keeping
it
open
and
allowing
you
to
add
a
comment.
So
we've
dismissed
it,
we
get
this
nice
image
information
or
the
timestamp
we
get
who
and
we
get
where
so.
Let's
add
a
comment,
a.
A
A
So
we
edit
it-
you
can't
just
go
in
here
and
reason
and
it
adjusts
and
then,
if
we
close,
we
see
our
finished
product
in
the
dashboard
where
it
is
dismissed
with
a
little
comment,
saying
a
good
reason,
thinking
that
it
will
be
able
to
go
to
two
lines
and
then
we'll
start
truncating,
probably
and
that's
pretty
much
it,
but
I
can
go
through
it
again.
Slowly.
D
A
So
I
had
a
version
that
had
the
Box
open
and
a
p.m.
and
a
few
other
people
in
screwed
group
were
like.
No.
We
really
want
to
make
sure
that
it's
optional,
so
they
felt
that
the
alternatives
that
I
had
that
had
like
a
text
box
open
or
just
a
general
commenting
box
were
going
to
be
a
little
too
forward
for
the
user.
D
D
E
Oh
sorry,
I
I
didn't
notice
that
either
I
love
this
by
the
way.
I
think
this
is
so
great,
but
I
had
the
same
thought
about.
Maybe
if
there's
a
way
to
show
it
more
prominently,
but
still
have
it
be
Claire's
optional,
because
I
went
through
it
actually
hoping
to
add
a
comment
then
and
I
knew
that
that
option
would
be
there
just
from
reading
the
description
and
I
could
not
find
it
and
then
I
went
to
the
whole
thing
again
and
I
was
looking
at
her
and
then
I
said.
E
A
You
have
considered
doing
something
something
up
this
Pandora's
box
factor
here
similar
to
this,
where
there's
a
reason
field
and
then,
when
you
click
that
it
will
take
you
into
the
editor
that
was
wasn't
like
shot
down.
But
there
were,
they
were
saying
they
would
like
to
see
it
a
little
more
in
the
back
background
as
like
an
option
but
I
think
if
it's
just
an
icon
without
supporting
text-
and
it
doesn't
look
like
a
button,
I
think
he
does
have
the
ability
to
beam
it.
So
that's
a
good
point.
Yeah.
C
E
C
F
C
Always
want
to
be
concise
with
our
button
text
and
the
button
kind
of
implies
that
it's
it's
optional,
because
I'm
doing
another
thing:
it's
not
as
front
and
center.
At
that
point
also,
though,
exploring
the
idea
of
building
off
the
existing
optional
pattern
for
form
fields.
Oh
even
is
it
and
this
I'm
not
saying
that
this
is
the
solution
I'm
just
trying
to
be
clear
about
what
I'm
saying
so
even
putting
like,
in
parentheses,
at
the
end
of
your
placeholder
text,
optional
could
be
another
more
obvious
pattern.
D
E
A
Yeah,
it's
a
it's
gonna,
be
a
challenge,
especially
because
all
of
this
interaction
that's
happening
in
such
a
limited
space.
Unlike
working
inside
of
Gil
lab,
it's
like
a
vast
open
country
versus
like
working
within
the
the
modal
itself,
I
mean
there's,
there's
plans
to
hopefully
get
rid
of
the
modal
that
is
TBD
I.
F
F
Yes,
so
this
view,
when
the
comment
has
been
applied
so
I
guess
it's
after
the
modal.
What's
the
importance
of
the
comment,
so
if
if
the
user
is
going
through
this
action
to
essentially
disable
this
does
the
is
the
comment
really
important
like
how
much
visibility
is
really
what
I'm
getting
down
to
it
should
should
we
have
it
here,
because
when
the
comment
is
there,
it's
very
visible.
A
F
Yeah
X
I
think
it's
interesting
cuz,
the
the
header
itself
is
more
subtle
now
because
it's
it's
a
little
bit
grayed
out,
but
then
the
comment
is
not,
and
so
we've
got
different
variations
of
darkness
and
lightness
of
font.
So
what
so?
What
I
wanted
to
know
is
you
know?
Is
it
the
comment?
That's
the
most
important,
but
then
it's
a
comment
about
something
that
you're
disabling
and
so
kind
of
a
conflict
of
interest
there
of
what
what
am
I
wanting
to
see
when
I'm
on
this
page?
What
is
the?
A
Ideally,
the
main
focus
would
be
the
active
vulnerabilities
and
the
dismissed
vulnerabilities
would
then
be
a
part
of
their
own
list
that
issue
it's
not
yet
hit
the
milestone,
so
we
won't
be
doing
that,
hopefully,
that
the
the
dismiss
the
owner
realities
here
would
be
aggregated
in
a
separate
list
so
that
you
can
go
and
look
through
those.
Maybe
there
it's
more
appropriate
to
see
the
full
reason
without
clicking
into
it
versus
here
right,
because
it's
gonna
be
a
mix.
The
focus
is
going
to
be
on
the
active
vulnerabilities.
These
ones
here
was.
F
Well,
it
one
we're
giving
it
more
real
estate
space,
but
if
it's
not
the
priority
content
of
that
page
I
mean
it
is
within
this
moment,
because
the
user
just
added
the
comment,
but
every
time
after
that
a
user
goes
to
this
page
is
is
are
we?
Are
we
allocating
too
much
real
estate
for
something?
That's
less
important,
plus
the
different
variations
of
color
mm-hmm
I.
A
Think
in
context
of
fixing
vulnerabilities,
it's
less
important,
but
it
is
important
in
the
context
of
dismissed
vulnerabilities
so
that
grouping
might
be
able
to
help
I
agree
that
it
might
not
need
all
this
space,
especially
if
this
is
just
like
jam-packed
with
text
and
then
like
another
one,
its
impact
with
text
rate
it
might
get
daunting
to
even
want
to
read
it.
I
was
in
a
way
referencing
our
Activity
Feed
and
how
it's
just
short,
I.
A
D
Andy,
can
you
group
all
the
dismissed,
vulnerabilities
together
and
then
have
that
log
more
front
and
center
within
that?
Like
I,
don't
know
if
there's
tabs
on
that
page
I'm
not
really
familiar
with
it,
but
so
you
could
just
kind
of
like
Tago
quickly
to
the
dismiss
log
and
then
maybe
it's
not
as
confusing.
If
there's
a
lot
of
comments
on
it
that
you
could
see
up
front
because
you're
like
I
want
to
see
all
that
didn't
dismiss
vulnerabilities
I
want
to
know
I
want
that
context
of
why
these
were
all
dismissed.
Mm-Hmm.
A
We
can't
group
them
today
for
some
few
back-end
reasons,
but
we
do
have
designed
and
planned
and
front-end
is
ready
with
way
to
just
see
either
all
dismissed
or
all
active,
but
that
they
were
all
dismissed.
I
think
showing
the
the
log
might
be
beneficial,
but
in
this
context
it
might
not
be
beneficial
to
see
you
know
the
actual
details
of
the
dismissal
as
opposed
to
oh,
it's
dismissed.
Oh
there's,
a
comment,
I
can
see
and
then
oh
a
comment
would
appear
here
right.
A
A
So
one
is
all:
security
tools
are
just
looking
for
like
this.
It's
almost
like
a
binary
relationship
between.
Is
this
a
vulnerability
or
is
it's
not
and
oftentimes?
They
will
flag,
something
called
a
false
positive
and
it
happens
with
like
every
software
product,
that's
using
any
kind
of
security
tool,
Ursa
curity
scanning.
So
if
it's
a
known,
false
positive,
the
industry
will
know
it
and
it'll
be
made
aware
they
can
come
in
here.
Just
say:
oh,
that's,
not
a
thing.
We
don't
need
to
investigate
it.
A
We
don't
need
to
waste
time
on
trying
to
get
it
out
of
our
code
and
just
like
whitelist
it
it's
another
term
and
then
they'll
dismiss
the
vulnerability.
Another
is
is
that
the
vulnerability
might
not
be
in
a
project,
that's
affected,
so
these
are
all
in
the
community
edition,
but
we
have
vulnerabilities
that
might
be
just
in
a
sub
project.
A
D
I'm
almost
I'm
wondering
I
mean
this
is
probably
not
obviously
either
I
was
just
seeing
in
my
head
I'm
almost
seeing
like
quick
replies,
I
wonder
if
that
would
be
useful
just
so
you
just
like
what
you
click
a
common
reason
for
dismissing
and
then
the
only
time
you
really
have
to
add.
A
detailed
comment
is
like
I.
Don't
see
the
reason
listed
here,
I,
don't
know
what
that
would
be
useful.
It
might
just
be
interesting
if
it
is,
if
you
can
group
together,
like
common
reasons,
why
people
are
dismissing
I.
A
A
A
This
would
be
the
first
implementation
of
being
able
to
comment
on
a
vulnerability.
I
threw
out
the
idea
of
just
a
general
comment,
so
we
would
just
have
a
general
comment
area
inside
the
vulnerability
itself,
but
it
was
very
specific
that
the
comments
are
always
geared
towards
reasons
why
it's
dismissed.
Not
necessarily,
let's
put
a
comment
here
and
discuss
the
vulnerability,
because
in
that
case
they
would
just
open
an
issue
and
start
talking
about
the
vulnerability
itself,
where
you
can
have
like
a
more
facilitated
conversation
and
get
all
the
features
of
the
discussion
area.
G
Discussion
has
been
going
on
been
fluctuating
back
and
forth
between
comment
and
reason
as
the
label
for,
for
me
personally
reason
resonates
more
particularly
for
that
reason.
When
you
first
said
it
was
when
you're
on
the
screen-
and
you
said
it
was
a
comment.
I'd
then
expected
it
to
be
a
threaded
thing
that
I
could
reply
to,
whereas
a
reason
in
this
case
I'm
assuming
it's
gonna,
be
a
one-off
thing
and
not
not
threaded.
So
reason
resonates
a
little
bit
more
with
me
than
comment.
A
C
C
A
A
Would
close,
which
I
created
an
issue
to
remove
this
button,
create
issue
when
you
click
dismiss?
So
the
thought
is
that
you
would
only
have
these
two
buttons
after
that
issue
gets
discussed,
because
this
is
like
I.
I've
also,
like
I
don't
know,
okay,
it's
what
you're
asking
them
to
close,
could
say
done,
but
they're
not
necessarily
done.
E
E
Wondering
a
couple
things:
one
I'm
wondering
if
it's
possible
to
add
the
comment
and
if
they've
typed
something
in
that
field,
then
this
is
there
won't
necessarily
need
to
be
in
add
a
comment
or
cancel
button
is
just
whether
they've
typed
in
it
or
deleted
it
and
I.
Wonder
if
close,
if
they've
added
a
comment,
could
change
to
add
a
comment
and
dismiss.
A
E
And
and
close
clothes
personally,
I
wouldn't
know
if
it
was
gonna
save
my
no
I
change
to
dismiss
it.
I
would
consider
maybe
testing
if
dismiss
and
would
be
sort
of
the
default
state
and
then,
instead
of
close
and
add
comments
and
dismiss,
could
be
a
way
to
eliminate
some
of
those
other
buttons
and
but
still
confirm.
Yes,
we
recognize
the
added
a
comment:
we're
saving
it.
Okay,.
A
I,
don't
like
the
term
close
here
because
close
has
other
connotations
to
like
issues
and
merge
requests.
I'm,
not
a
fan
of
using
the
word
close
here
and
before
this
button
actually
was
canceled
and
that
doesn't
make
any
sense
once
you've
done.
Something
so
I
think
was
I.
Had
a
comment
and
dismiss
like
it
was
a
really
good
idea.