Skip to content

Make Project Dependency List page show only active vulnerabilities

Summary

The Dependency List page is listing all dependencies of a project, and report vulnerabilities ont these dependencies. Nevertheless, some of these vulnerabilities are still showing even though they were dismissed.

Steps to reproduce

  1. Go to https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies
  2. Go to page 3, find the pipenv dep, and notice the vulnerability attached to it.
  3. Follow the link to this vulnerability page, notice it is Dismissed

Example Project

https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies

What is the current bug behavior?

Dismissed vulnerabilities still reported in the dependency list.

What is the expected correct behavior?

They should be hidden.

Relevant logs and/or screenshots

Screen_Shot_2022-02-22_at_12.26.37

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Implementation plan

  1. Update API::Sbom::Occurrences to add Vulnerability#with_states scope when passed https://gitlab.com/gitlab-org/gitlab/-/blob/07474cc02fc65edd58045630fc730b3e180fae7e/ee/lib/api/sbom/occurrences.rb#L20-23
    • The path will look something like https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/dependencies.json?sort_by=severity&sort=desc&page=1&filter=all&vulnerability_states[]=confirmed,detected
    • It can be one or more of detected,confirmed,resolved,dismissed; the first two are defined as ACTIVTE_STATES
    • I can't tell what the existing filter param is used for, as it doesn't appear in the API
    • Note: Although Vulnerability report looks like it uses a single string query param with comma-delimited values (vulnerability_report/?state=CONFIRMED,RESOLVED) this value is just a Vue.JS thing I think, and an array is passed to the API via GraphQL
  2. Add the same scope to Sbom::OccurrencesVulnerability
  3. Update the Controller so that, when ?state[]=value(s)gohere is passed as a query param, the API is passed that query too
  4. Validate that using &scopes[]=detected,confirmed shows just detected and confirmed results
  5. Update relevant specs
    1. Ensure the "X vulnerabilities detected" label/pill reflects the correct count

Not in this implementation plan:

  • Applying this to the Group Dependency List page (can be another Issue)
  • UI for a vulnerability state multi-select dropdown (this page might be getting reworked entirely)
  • Changing default behavior (e.g. to only show detected,confirmed vulnerabilities)
Edited by 🤖 GitLab Bot 🤖