Design: Group/Sub-group level Dependency list MVC
Release notes
When reviewing a list of dependencies, it is important to have an overall view of everything in your organization. With this release, you can see all dependencies within all projects and sub-groups.
Problem to solve
Today, there is no way to view dependency information at the group or sub-group level. This makes is very difficult to get a complete picture of dependencies—and potential risks from them—across multiple projects or an entire organization. It also prevents easily answering questions like "do I have X dependency included in any projects?" or "are all projects using dependency X on version Y or higher?".
Background
Work recently completed to ingest dependency information from SBOM artifacts and store it in the database. Prior to this work, the Dependency list page relied directly on pipeline artifact files to render. This created a performance bottleneck that would not scale if trying to gather dependency information for a group or sub-group.
At the same time, the current project-level Dependency list contains information about any vulnerabilities as well as licenses associated with the dependencies. The SBOM ingest work is only the first part of the larger Continuous Vulnerability Scanning effort. Work still remains to similarly ingest license information into the database. Further backend services are also required to match ingested dependencies with ingested license data as well as existing vulnerability data. This means that until all of this work is complete, the current project-level functionality cannot be moved to a fully database-backed model without removing the existing ability to see vulnerabilities and licenses.
We have an opportunity to make an incremental step forward with a group-level Dependency list because such a feature does not yet exist. This will allow us to build up on the new database-backed model, adding functionality as more of the Continuous Vulnerability Scanning work completes.
Proposal
Leverage the new database-backed dependency information to create a new group/sub-group level dependency page. The page will be limited to dependency information only (no vulnerability or license data).
See designs in design section below.
Feature Usage Metrics
Usage will be tracked by views to the new page(s).
JTBD
When there's a problem with a particular component, I want to be able to search for that component name and version so that I can triage those problems accordingly.
Requirements
Users can...
- filter the list by component name
- sort the list by component name, packager name, and number of related projects
- click on the number of projects in the projects column, and then click on the specific project in the popover. This will take the user to the Dependency List of that project, with the component uncollapsed and in view.
- search for project name in the popover if there are >10
- export the dependency list as a JSON
Nice to haves
Users can...
- filter the list by packager name and project name (in addition to component name)
- search for any free text in the search bar
- view the relative time of the latest successful scan on any project in the group (this is shown in the
• 54 minutes ago
in the page description
Future iterations under consideration
- Include a column for the License and allow for sorting and filtering by license type
- Re-introduce vulnerabilities to each dependency as seen at the project level
These have been captured as requirements in Post-MVC Group-level Dependency List.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.