Make Project Dependency List page show only active vulnerabilities
Summary
The Dependency List page is listing all dependencies of a project, and report vulnerabilities ont these dependencies. Nevertheless, some of these vulnerabilities are still showing even though they were dismissed.
Steps to reproduce
- Go to https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies
- Go to page 3, find the
pipenv
dep, and notice the vulnerability attached to it. - Follow the link to this vulnerability page, notice it is
Dismissed
Example Project
https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies
What is the current bug behavior?
Dismissed vulnerabilities still reported in the dependency list.
What is the expected correct behavior?
They should be hidden.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation plan
- Update
API::Sbom::Occurrences
to addVulnerability#with_states
scope when passed https://gitlab.com/gitlab-org/gitlab/-/blob/07474cc02fc65edd58045630fc730b3e180fae7e/ee/lib/api/sbom/occurrences.rb#L20-23- The path will look something like
https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies.json?sort_by=severity&sort=desc&page=1&filter=all&vulnerability_states[]=confirmed,detected
- It can be one or more of
detected,confirmed,resolved,dismissed
; the first two are defined as ACTIVTE_STATES - I can't tell what the existing
filter
param is used for, as it doesn't appear in the API - Note: Although
Vulnerability report
looks like it uses a single string query param with comma-delimited values (vulnerability_report/?state=CONFIRMED,RESOLVED
) this value is just a Vue.JS thing I think, and an array is passed to the API via GraphQL
- The path will look something like
- Add the same scope to
Sbom::OccurrencesVulnerability
- Update the Controller so that, when
?state[]=value(s)gohere
is passed as a query param, the API is passed that query too - Validate that using
&scopes[]=detected,confirmed
shows just detected and confirmed results - Update relevant specs
- Ensure the "X vulnerabilities detected" label/pill reflects the correct count
Not in this implementation plan:
- Applying this to the Group Dependency List page (can be another Issue)
- UI for a vulnerability state multi-select dropdown (this page might be getting reworked entirely)
- Changing default behavior (e.g. to only show
detected,confirmed
vulnerabilities)
Edited by Nick Malcolm