Frontend update for Continuous Vulnerability Scanning
Problem to solve
With the introduction of CVS, customers may be confused by the "Last Updated [timestamp]" text on the Vulnerability Report. Previously, this indicated the last time a security job was run. With CVS, a new vulnerability could be found after the job has run, which would make the timestamp and timeline confusing for someone investigating when a vulnerability was found.
Proposal
- In all cases, update the Vulnerability Report's "last updated" widget so the text indicates "Security reports last updated [timestamp]."
- For customers who have enabled dependency scanning or container scanning, update the Vulnerability Report's "last updated" widget so the text indicates "Security reports last updated [timestamp]" and "SBOMs last updated [timestamp]."
Designs
Intended users
Rough Implementation Plan
- In
ee/app/assets/javascripts/security_dashboard/vulnerability_report_init.jsadd timestamp for pipeline type thats generate SBOMS. Right now onlydependencyscanning actually creates SBOMS.Container Scanningis in progress.
At the project, level HAML templates, define the timestamp.
ee/app/views/security/vulnerabilities/index.html.haml
ee/app/views/projects/security/vulnerability_report/index.html.haml
Update Ruby Presenter
-
ee/app/helpers/ee/projects_helper.rb
-
In https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/helpers/ee/projects_helper.rb#L317-336 add
-
pipeline = project.latest_ingested_sbom_pipeline -
Define
latest_ingeseted_sbom_pipelinehelper function.
Findings to follow-up on
- Seems like looking at the code we only expose last pipeline run data at the Project level. Need to confirm if we see it at the Group and Instance level currently. It appears that the UI does not for group or instance levels.
See for group level: https://gitlab.com/groups/gitlab-org/-/security/vulnerabilities
Instance Level: Need to get screenshot set up locally. But I'm pretty confident we don't show it.