►
From YouTube: UX Group Feedback: Inline vulnerability management
Description
Andy Volpe shares new Secure designs for inline vulnerability management. Link to previous iteration: https://gitlab.com/gitlab-org/gitlab-ee/issues/8426#note_172752482
A
So
doc,
where
you
will
be
discussing
in
line
vulnerability
management
what
that
means.
So
let
me
share
my
screen.
A
What
we
have
to
rely
on
right
now
for
communicating
more
information
so
for
security,
application
professionals
and
the
like,
they
want
to
know
more
about
vulnerabilities,
so
the
information
we
have
today
is
all
inside
of
a
modal
kind
of
yeah,
which
is
fine
for
now,
but
the
goal
is
to
be
able
to
present
more
information.
These
are
and
actually
spent
more
interactions.
A
These
are
as
well
and
then
in
this.
That's
where
you
can
see
how
big
these
modal's
are
starting
to
get
they're
gonna
start
getting
much
taller
as
we
give
more
opportunities
to
interact
with
vulnerabilities
inside
of
gitlab.
Some
of
these
interactions
are
dismissing
creating
an
issue
seeing
then
the
issue
is
created.
Jumping
up
to
that
understanding.
That
commenting,
which
is
newer.
A
A
There
are
some
different
nuances
and
the
type,
but
they
have
like
an
example
with
code
snippets
and
all
of
this
great
information-
and
this
is
the
thing-
the
application
security
professionals
love.
They
love
to
see
more
about
the
vulnerability
than
just
like
the
type
and
a
file
they
want
to
know
where
it
came
from.
They
want
to
know
general
overview,
they
can
jump
to
documentation,
they
can
jump
to
more
info,
which
will
then
give
them
even
more
cool
graphics
which
I
will
jealous
of
so
with.
A
B
A
So
we've
talked
about
moving
to
an
issue
pattern,
but
we
can't
today,
due
to
how
vulnerabilities
are
injected
into
our
system
that
get
lab
they're,
not
objects.
First-Class
objects
that
I've
been
told
like
you
would
see
as
like.
A
merge
request
has
its
own
page
and
issues
have
their
own
page
as
well,
so
we've
had
to
kind
of
hunker
down
and
do
the
best
we
can
with
this
list.
For
the
time
being,.
A
When
it
was
implemented
a
long
time
ago,
they
came
in
as
the
semi
abstract,
like
a
vulnerability
is
abstract
compared
to
even
what
we
think
of
as
to
do.
Czar
and
we've
been
trying
to
go
through
several
product
discoveries
to
figure
out.
If
they
can
become
first-class
vulnerabilities,
because
then
you
get
all
the
good
metadata,
you
can
link
them
to
issues.
They
can
almost
become
an
issue
of
themselves,
get
like
open
closed
status.
We
can
know
when
they
actually
come
in,
so
we
can
port
times.
A
We
can
report
'silly
times
all
these
cool
things
that
is
out
of
my
answer.
I
did
a
little
practice
country
work.
It
went
all
the
way
up.
I
think
it's
circling
around
the
top
of
engineering
right
now,
but
right
now,
they're
focused
on
filling
out
the
tools
we
have
and
making
sure
that
we
are
reducing
the
number
of
false
positives.
As
you
can
see
in
reality,
we
don't
have
over
all
of
these.
These
are
kind
of
a
lot
of
false
positives
that
we
have
so
that's
kind
of
the
edict
I've
been
given.
A
C
I
guess
I'm,
just
unsure
of
like.
Are
you
saying,
there's
technical
limitations
that
mean
I
we're
not
able
to
potentially
create
a
page
for
each
of
these
things,
so
there's
restrictions
around
what
the
UX
can
be
and
we're
working
within
that
and
do
we
know
what
the
technical
restrictions
are
and
why
those
are
technical
restrictions.
A
In
terms
of
the
UX,
yes,
the
technical
restrictions
are
enabling
us
to
have
to
go
a
different
route.
I
can't
I,
probably
won't
be
able
to
articulate
the
technical
risk
restrictions
as
well
as
somebody
else
could.
I
can
dig
up
some
first-class
object,
vulnerability,
product
discoveries
that
we've
embarked
on
and
finished
and
still
kind
of
ended
with
kind
of
liquor.
A
So
I
can
do
that,
but
yeah,
that's
mostly
how
vulnerabilities
are
found
and
detected
within
while
you're
in
a
pipeline.
That's
the
job
detects
that
vulnerability.
It
will
then
surface
that
and
then
how
you
go
about
remediating.
It
has
all
sorts
of
weird
spiderweb
problems
from
what
I've
been
told,
so
hopefully
that'll
get
done
soon,
even
if
it
does
it'll
make
this
even
more
cooler.
So
I
will
show
some
designs
and
I'm
picking
this
up
off
of
Tim's
work.
A
So
a
little
bit
of
this
has
been
done
already
by
Tim
I'm,
just
kind
of
taking
it
over
finish
line
as
he
moves
on
to
fulfilment.
So
this,
in
essence,
is
how
we
would
want
to
present
this
type
of
information
instead
of
in
a
mobile.
So
we
have
a
detail
section
in
a
recent
activity
section
and
then
in
the
details.
This
can
get
much
taller,
of
course,
but
we're
in
life.
So
it's
not
that
big
of
a
deal
and
then
the
activity
section
will
actually
people
kind
of
grow
with
each
other.
A
Imagine
if
there
was
more
activity
and
had
to
go
down,
so
we
can
do
that.
Sorry,
my
dog
is
going
crazy
and
thinking
through
some
of
the
different
instances.
So
we
have
nothing
selected
right
and
then
we
have
a
hover
state
which
begins
to
show
that
carrot,
which
we
do
in
the
project
overview
and
group
over
you
and
then
once
selected,
we'll
have
the
carrot
down.
We
will
bold
the
title
of
the
vulnerability
and
then
bring
the
details
down
in
here.
A
We
would
also
see
this
is
kind
of
adding
a
comment
once
you've
done
it.
You
can
just
go
ahead
and
add
it,
so
we
don't
have
that
modal
flying
around
and
then
this
is
the
vulnerability
with
that
comment
included
and
then
thinking
along
further
an
activity
log
of
dismissal
and
on
dismissals.
So
something
that
been
kicking
around
it's
been
asked
up
and
a
few
issues
is
there
needs
to
be
some
level
of
compliance
built
into
this,
so
we
can
show
when
things
were
dismissed
when
the
comment
was
added
and
if
it
was
understand
by
who.
A
A
And
then
thinking
through
some
other
cases
too,
so
for
that
solution
I
mentioned
you
know
we
can
have
this
button
here.
This
has
fixed
with
merge
request,
as
opposed
to
like
jamming,
although
we
had
many
buttons
and
button
drop
sounds
in
this
area
here,
especially
in
the
modal.
So
we
want
to
reduce
that
so
being
able
to
put
it
right
with
the
solution
telling
you
how
to
implement
it
as
well.
A
D
D
So
it
looks
like
in
the
nested
accordion
it
displays
by
default,
whereas
in
the
top
level
it
doesn't
and
then
also
the
placement
looks
a
little
different
and
then
I'm
wondering,
as
you
know,
carrot
placement,
there's.
So
many
so
many
fields
around
carrot
placement,
but
the
one
inside
the
nested
accordion
seems
like
a
pretty
standard
placement,
whereas
the
one
in
the
top
level
accordion.
A
D
D
A
A
We
haven't
had
a
lot
of
research
done
in
terms
of
like
what
is
the
what's
what's
normal
in
terms
of
dismissing
on
dismissing
dismissing
with
a
comment,
because
we've
just
added
in
that
this
is
the
comment
feature.
So
there
was
just
some
mention
from
the
compliance.
Someone
like
compliance
minded
was
saying
it
be
to
think
that
through,
but
this
this
whole
mock
by
no
means
would
actually
be
part
of
the
NBC.
It's
just
showing
how
we
might
be
able
to
expand
the
section
once
it
gets.
D
I'd
be
tempted
to
go
in
to
find
a
vulnerability
that
has
a
whole
heck
of
a
lot
of
activity
on
it
and
use
that
as
kind
of
a
straw.
Man
for
designing
was
probably
an
edge
case,
but
probably
a
pretty
relevant
education.
Think
about
how
you
might
use
some
sort
of
interaction.
So
what
I
am
envisioning
in
my
mind,
which
may
or
may
not
be
accurate,
is
you've
got
a
vulnerability
that
has
a
ton
of
activity
and
yeah.
E
I
had
a
similar
thought
when
you
mentioned
that
the
activity
could
grow
vertically.
So
you
have
this
list
of
issues
and
then
you're
nesting,
the
details
of
those
inside
there
I
mean
my
first
instinct
was
a
sidebar
format
where
I
select
an
issue
and
then
I
sidebar,
slides
out
and
in
that
I
have
a
really
nice
vertical
space.
Where
I
can
have
threaded
conversation
or
excuse
me
would
be
the
activity
a
lot
of
activity.
A
A
Usually
when
there's
an
issue
open
that
seems
to
be
about
it
as
well,
and
then,
when
there's
a
solution
available
which
is
probably
less
than
2%
of
the
vulnerabilities
we
find,
we
can
actually
give
a
solution
to
roughly
uncle
me
on
that,
but
very,
very
small
number,
and
then
that
would
then
be
involved
too.
But
hopefully
we
you
know,
are
able
to
grow.
The
prevalence
of
having
solutions
for
vulnerability,
so
average
doesn't
seem
to
be.
A
E
A
E
E
E
A
Maybe
not
cross
referencing,
but
it's
good
to
be
aware.
The
activities
almost
like
a
status
and
if
you
would
say
so,
knowing
that
a
issue
has
been
created
for
this,
so
that
you
don't
need
to
replicate
the
issue
and
someone's
on
it,
and
then
you
can
jump
into
that
issue
to
have
more
conversation.
An
issue
is
all
of
this
is
put
into
the
issue
description,
so
you
can
go
on
about
solving
this
vulnerability
if
it
needs
discussion
through
the
issue
and
then
knowing
who
dismissed
it
when
it
was
dismissed
and
why
it
was
dismissed.
A
F
Was
just
wondering
since
it
seems
like
a
lot
of
the
topics
that
are
coming
up,
are
in
relation
to
real
estate
space,
and
if
the
density
is
different
between
the
details
and
the
recent
activity
or
the
likelihood
of
the
density
being
different,
maybe
they
should
be
handled
differently
but
yeah
if
it's
needed
for
them
to
see
it.
At
the
same
time,
then
that
makes
sense.
A
Do
we
use
a
side
bar
pattern
outside
from
where
poorly
friend,
aside
from
where
we
use
a
side
bar
pattern,
the
issues
and,
mrs
you
know
the
common
places
that
were
used
interacting,
I
don't
know
if
we
use
like
a
slide
out,
that's
slide
out
our
panel.
Do
you
know
anybody?
Thank.
C
C
Yeah
I
was
just
curious
here,
like
what
is
that
the
main
action
now
and
I'm
curious
about
the
placement
of
the
main
action,
along
with
the
sub
action
of
creating
an
issue
and
dismissing
the
vulnerability.
It's
kind
of
unclear
like
what,
which
is
the
main
one
and
and
I,
don't
know
because
I
haven't
worked
with
on
our
ability,
so
I'm
just
curious.
What
your
thoughts
are
there?
The.
A
Main
action
in
our
mind,
should
the
user
will
fix
it
with
a
merit
request.
So
we
know
so
our
tools
have
found
that
this
non
constant
string,
Pass
diet
thing
has
a
solution
and
we
know
what
the
solution
is
and
in
fact
we
can
actually
implement
that
solution.
When
you
click
fix
with
merge
requests,
we
create
a
brand
new
branch.
Put
the
patch
that
we
know
is
into
that
branch,
and
all
you
have
to
do
is
merge
it,
but
with
that
said,
there
might
be
further
discussion
needed.
A
This
might
be
a
false
positive,
so
it's
really
hard
to
gauge
the
priority
order
at
this
time.
Since
this
solution
area
is
still
rather
new,
it's
only
a
couple
milestones
old,
so
that's
another
thing
will
probably
need
research
on.
We
try
I,
try
doing
a
little
bit
of
research
on
it.
A
A
D
D
A
So
that
was
one
of
the
terms
I've
been
messing
around,
because
today
we
use
cancel
so
clothes.
Would
then
collapse.
We
can
use
it
collapse,
but
we
know
he's
use
collapse
up
in
the
top
right.
We
have
that
expand
collapse
that
we've
seen
in
our
settings
right,
so
I
think
some
rephrasing
of
that
button
could
be
in
order.
Cuz
clothes
is
a
terrible
word
because
we
closed
issues
in
clothes,
merge,
requests
and
clothes.
We
close
things
and
get
the
lab
so
closing
as
an
active,
like
interaction
is
I.
D
C
D
Yeah
because
I
think
so
I
absolutely
agree
that
the
I
think
just
relying
on
the
standard
interaction
pattern
of
an
accordion
is
plenty
here
and
would
get
rid
of
some
of
your
button.
Clutter,
oh
good
yeah,
and
then
even
if
so,
I
mean
look
I,
don't
have
strong
feelings
about
left
or
right
aligned.
Carrots
I
would
just
be
thinking
about
how
to
be
consistent
with
what's
already
out
there.
That
might
that
you
need
to
think
about
the
arrangement
of
the
content
in
the
the
top
level
of
your
accordion.
D
C
D
Accordions
are
part
of
our
on
our
short
term
design
system.
Push.
Aren't
they
Tory
you're
the
one
to
answer
that
you're
yeah.
So
maybe
this
is
something
to
pick
up
as
a
a
short-term
component
to
look
at
and
think
about
whether
this
pattern
we're
looking
at
now,
it's
a
pretty
and
on
standard
accordion
pattern.
Mm-Hmm
people
know
what
the
caret
means
yeah.
E
Didn't
you
know,
I
don't
have
a
lot
of
context
here.
How
folks
use
this
screen
and
these
tools
today
and
what
our
standard
conventions
are,
but
the
buttons
definitely
we're
confusing
to
me
and
made
me
think
in
a
lot
of
ways,
and
even
now,
with
the
adjustment
of
making
what
looked
to
be
a
tag
originally
into
more
of
a
button.
Button
fix
it's
still
confusing,
because
the
create
issue
is
bottom
right
which
gives
it
priority,
but
then
fix
with
motors
request
is
full-color,
which
gives
it
priority
and
then
they're
both
green.
G
E
Then
add
to
that
that
dismiss
opponent
ability
is
orange
and
I.
Don't
really
know
why
and
again
maybe
there's
you
know.
Users
have
some
context
here
that
I
don't
have,
but
it's
it's
definitely
stopping
me
in
my
tracks
and
and
confusing
me
as
to
why
those
two
are
both
green
but
in
different
places,
which
one
is
the
most
important
and
recommended
action.
A
G
A
current
modal
on
your
on
your
last
iteration
in
the
Moodle
Andy
does
that
have
the
drop
down
or
is
in
my
confusing?
That
was
something
else
where
it
didn't
have.
The
fix,
merge,
request
fix
with
merge
requests
where
was
actually
like
a
drop
down
to
create
an
issue
or
fix
with
merge
requests.
Is
that
the
the
current
iteration?
Yes?
Yes,
if.
A
E
Yes,
that
last
question
really
quick
it
so
or
what's
the
common
use
case
here,
it
might
come
in
and
going
directly
to
an
issue
and
doing
a
deep
dive
and
addressing
it.
You
know
all-in-one
all-in-one
or
am
I
kind
of
browsing
issues
and
trying
to
figure
out
if
I'd
need
or
want
to
take
action
on
one
or
more
of
them
in
this
list.
A
Kind
of
learn
as
much
as
you
can
about
there's
a
pollution
and
I
guess
now
that
that
means
I'm,
but
no
head
attacker,
one
which
is
one
of
our
bug,
bounty
programs.
It's
probably
a
real
thing
that
needs
to
be
addressed
so
here
you
would
probably
create
an
issue
to
then
address
it
so
that
it
could
no
longer
be
a
boater
millionaire
system
and
then
something
like
this.
We
already
have
an
issue
created
so
you're
good,
so
Steve
created
this
issue,
that's
awesome
and
then
anything
that's
dismissed
attorney.
A
You
know
kind
of
what's
what
we
would
call
whitelist
eight
or
dismissed,
meaning
that
not
a
problem,
false
positive,
not
a
big
deal.
So
it's
really
just
coming
in
maybe
opening
everyone,
but
really
the
users
are
focused
in
on
the
critical
high
medium
those
these
low.
It's
probably
not
a
big
deal
where
it's
in
the
project.
They
don't
care
about,
which
we
give
them.
This
little
leaves
it
all
in
tests,
J,
S
or
nvm
test.
So
it's
probably
probably
and
a
big
deal,
because
it's
not
in
production.
A
D
You
got
a
ton
of
feedback
and
which
it
is
it
great,
and
you
do
such
a
good
job
of
taking
feedback
and
being
very
thoughtful
about
it.
After
the
fact
and
something
I
if
I
were
in
your
shoes,
that
I
would
be
tempted
to
do
is
to
just
go
sketch
for
a
while,
because
this
is
pretty
high
fidelity,
which
means
a
lot
of
effort
to
make.