Problem:

Currently, developers don't have visibility into vulnerabilities in their projects.

Goal:

Our initial requirement is to allow developers the ability to view base image vulnerabilities across all container images within a specific Project. 

Why is it important?

Use cases:

As a developer, ...

• I want to view a count of the number of images that are vulnerable in my selected project, when CSO is installed to the cluster.
• I want to see a breakdown by severity across all vulnerable images in my selected project.
• I want to see the number of vulnerabilities in each vulnerable image and the count of how many are fixable.
• I want to see how many pods are affected by each vulnerable image
• I want a link to access details in Quay for each vulnerable container image that is stored in that repository

Acceptance criteria

As a developer, ...

1. I should be able to see an option to view list of Vulnerabilities for a selected project
2. I should be able to see the total count of vulnerable images in a selected project
3. I should be able to see severity-based counts of all vulnerable images in a selected project
4. I should be able to drill into severity, count of vulnerabilities, count of fixable vulnerabilities, number of affected pods for each vulnerable image
5. I should be able to launch the Quay UI panel, in context of the manifest of the vulnerable image stored in that repository

Dependencies (External/Internal):

CSO

Slack Channel

#tmp-odc-app-vulnerabilities in CoreOS slack

Design Artifacts:

tbd

Exploration:

Step 1 - Empathize
Step 2 - Define
Step 3 - Ideate

Note:

Initial use case/journey ideas https://docs.google.com/presentation/d/12XmfeoZxnaOjsbRMIGr7FJtrE9ywvW5B2tEFi2wG3dQ/edit?usp=sharing

Notes

Depending on the user's role, the permissions might limit the sorts of actions they have access to.