Vulnerabilities for archived projects appear in Group-level and Security Center dashboards and vulnerability reports
Problem to solve
When a user archives a project, they are archiving it to remove it from the dashboards and indicating it is no longer a maintained project. However, the vulnerabilities from archived projects continue to show up in vulnerability management features where they should not.
Further details
As of GitLab 15.1, deleted projects are now removed after a set number of days. This means the below proposal is to address only archived projects. When projects are deleted, so will any associated vulnerability records. Records from such deleted projects will only impact the Group-level and Security Center features until their removal.
Proposal
The following places/behaviors should be modified so as not to include archived projects or their vulnerability records:
- Group Vulnerability Report:
- the vulnerability list
- the project selector/filter
- the severity counters at the top of the report page
- Group Security Dashboard
- counts in the vulnerability trends chart
- shown in the security scorecard
- Security Center Vulnerability Report
- the vulnerability list
- the project selector/filter
- the severity counters at the top of the report page
- Security Center Dashboard
- counts in the vulnerability trends chart
- shown in the security scorecard
A nice to have is preventing users from adding archived projects from the Security Center Settings page. For archived projects already added to the user's view list, these should be visually distinguished (maybe an archived
badge).
As per this comment, there should now be metadata available via GraphQL that can be used to avoid displaying these vulnerabilities on the frontend. If feasible with front work only, archived projects should also be excluded from the project selection dropdown to avoid any confusion from selection a project that would now return no (visible) results.
Links / references
Implementation Plan
This can easily be split into 3 MRs. However, this does not appear to be a complex fix, so putting weight at 2.
-
backend Add argument in for_projects
scope forVulnerability
andVulnerabilities::Read
-
backend Add filter in VulnerabilitiesFinder
andVulnerabilityReadsFinder
to include archived projects if the argument is provided and true. Not including them should be the default. -
backend Include this as a nullable argument in the VulnerabilitiesResolver
NOTE: No work should be needed on the frontend, unless we want an option to include archived projects
flowchart
A[Vulnerability Report] -->|Find Vulnerabilities for accessible projects| B(Vulnerabilites Resolver)
B --> C[ VulnerabilitiesFinder/VulnerabilityReadsFinder]
C --> D{Include archived projects?}
D -->|Yes| E[Vulnerabilities for projects including archived ones]
D -->|No| F[Vulnerabilities for projects excluding archived ones]
Follow-up tasks
Although this fixes a bug and provides users with an expected experience, we may have customers who are concerned about the vulnerability count reduction. After this issue is complete, we should ping our Customer Support stable-counterpart to let them know the group and security center pages will no longer include archived project records.