ESCALATED: Dependency List shows dependency vulnerability status as safe to not logged in users
Summary
When a person is not logged in and views the vulnerable components list they see them all as safe
Steps to reproduce
be not logged in and view a list with vulnerable dependencies
Example Project
What is the current bug behavior?
I am not logged in and can see the vulnerable dependencies
https://gitlab.com/gitlab-org/gitlab/dependencies - click "vulnerable components"
What is the expected correct behavior?
At a minimum, they shouldn't all say safe because they are not, but also can we not show a count for that tab and also disable clicking / viewing the tab?
@andyvolpe can you confirm in line with #13247 (comment 219462485) that although we want guests to see the dependency list (though perhaps not the safe/unsafe), the vulnerable dependency list should not be available to not logged in persons?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Results of GitLab application Check
Possible fixes
Edited by GitLab SecurityBot