Show Dependency Scanning info in file view

Release notes

Problem to solve

As a user opening a dependency file in the GitLab UI, I want to see Dependency Scanning information along with the file, so that I know whether it's been scanned or skipped.

If it's been successfully scanned, I want to quickly access to the vulnerabilities and dependencies found by the scanner for that particular file, instead of going to the Vulnerability Report or the Dependency List and adjusting the search to only show vulnerabilities and dependencies for that file, respectively.

Adding Dependency Scanning information to the file view improves discoverability of the Vulnerability Report and the Dependency List.

Follow-up features:

  • Configure Dependency Scanning from the file view. In particular, this view could be used to exclude the file from the subsequent scans.
  • Show a warning when the dependency file isn't supported by Dependency Scanning even though it's recognized.
  • Show vulnerabilities at the line where the vulnerable dependency or its ancestor is declared.
  • Show license information at the line where the dependency is declared.

Intended users

User experience goal

Proposal

Add Dependency Scanning information at the top of the file view UI, when the file is supported (or to be supported) by GitLab Dependency Scanning:

  • status: scanned, skipped, failed; the latter becomes particularly relevant when implementing partial scans
  • dependencies: count, link to the dependency list limited to that file
  • vulnerabilities: count, warning if affected, link to the vulnerability report limited to that file!

Further details

Right now the UI only shows the name of the package manager handling that file.

Example: This project manages its dependencies using Composer. Learn more

Capture_d_écran_2021-03-10_à_09.51.41

Permissions and Security

Same as Dependency List and Vulnerability Report

Documentation

Availability & Testing

Available Tier

GitLab Ultimate

What does success look like, and how can we measure that?

Users access the Vulnerability Report and the Dependency List via the file view.

Users link to the file view when reporting scan issues.

What is the type of buyer?

Is this a cross-stage feature?

No

Links / references

/cc @beckalippert @NicoleSchwartz @gonzoyumo

Edited by Fabien Catteau