Project security status widget on Group dashboards does not include sub-groups
Summary
The Project security status (aka "report card") widget on the Group security dashboards shows a list of all projects within the group, bucketed into a letter grade A - F based on the severity of defects in the project. However, the widget does not appear to include projects inside sub-groups, which leads to a misleading count and presentation of projects.
Steps to reproduce
For an example, look at the Project security status here: https://gitlab.com/groups/gitlab-org/security-products/analyzers/-/security/dashboard
Note the number of total projects represented and the ones displayed (currently 22). Now look at the parent group's dashboard (https://gitlab.com/groups/gitlab-org/security-products/-/security/dashboard) and see that only 5 projects are now listed.
What is the current bug behavior?
Only projects with security scans configured and that sit directly underneath a given group will appear in that group's Project security status widget.
What is the expected correct behavior?
All projects directly underneath a given group as well as all projects within all sub-groups (at all depths) of that group will appear on the Project security status widget. Note that projects anywhere in this hierarchy that do not have security scans configured still will not appear in the widget.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Implementation plan & technical notes
Currently, the vulnerabilityGrades query for the Group type is returning the data only for the group itself by ignoring its subgroups. To address this issue, we should add a query parameter to vulnerabilityGrades called includeSubgroups to access the data including the data for subgroups. This will also require a minor change on frontend to utilize this new flag.