Design: Group/Sub-group level Dependency list MVC

Release notes

When reviewing a list of dependencies, it is important to have an overall view of everything in your organization. With this release, you can see all dependencies within all projects and sub-groups.

Problem to solve

Today, there is no way to view dependency information at the group or sub-group level. This makes is very difficult to get a complete picture of dependencies—and potential risks from them—across multiple projects or an entire organization. It also prevents easily answering questions like "do I have X dependency included in any projects?" or "are all projects using dependency X on version Y or higher?".

Background

Work recently completed to ingest dependency information from SBOM artifacts and store it in the database. Prior to this work, the Dependency list page relied directly on pipeline artifact files to render. This created a performance bottleneck that would not scale if trying to gather dependency information for a group or sub-group.

At the same time, the current project-level Dependency list contains information about any vulnerabilities as well as licenses associated with the dependencies. The SBOM ingest work is only the first part of the larger Continuous Vulnerability Scanning effort. Work still remains to similarly ingest license information into the database. Further backend services are also required to match ingested dependencies with ingested license data as well as existing vulnerability data. This means that until all of this work is complete, the current project-level functionality cannot be moved to a fully database-backed model without removing the existing ability to see vulnerabilities and licenses.

We have an opportunity to make an incremental step forward with a group-level Dependency list because such a feature does not yet exist. This will allow us to build up on the new database-backed model, adding functionality as more of the Continuous Vulnerability Scanning work completes.

Proposal

Leverage the new database-backed dependency information to create a new group/sub-group level dependency page. The page will be limited to dependency information only (no vulnerability or license data).

See designs in design section below.

Feature Usage Metrics

Usage will be tracked by views to the new page(s).

JTBD

When there's a problem with a particular component, I want to be able to search for that component name and version so that I can triage those problems accordingly.

Requirements

Users can...

1. filter the list by component name
2. sort the list by component name, packager name, and number of related projects
3. click on the number of projects in the projects column, and then click on the specific project in the popover. This will take the user to the Dependency List of that project, with the component uncollapsed and in view.
4. search for project name in the popover if there are >10
5. export the dependency list as a JSON

Nice to haves

Users can...

1. filter the list by packager name and project name (in addition to component name)
2. search for any free text in the search bar
3. view the relative time of the latest successful scan on any project in the group (this is shown in the • 54 minutes ago in the page description

Future iterations under consideration

1. Include a column for the License and allow for sorting and filtering by license type
2. Re-introduce vulnerabilities to each dependency as seen at the project level

These have been captured as requirements in Post-MVC Group-level Dependency List.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.