Spike: Add "Tool with Scanner" for Group Vulnerability

Before Purposal
image

frontend Implemenation

  1. Expose the scanners via the data attribute in HAML
# ee/app/helpers/groups/security_features_helper.rb
scanners: VulnerabilityScanners::ListService.new(group).execute.to_json,

Spec file:

# ee/spec/helpers/groups/security_features_helper_spec.rb
scanners: '[]',

  1. Switch the group page to use the tool_filter_with_scanners

  2. Utilize the scanners to filter the vulnerabilities (it currently uses reportType)

The GraphQL query already supports the scanner field, so we can filter the vulnerabilities by VulnerabilityScanner.externalId.

image

  1. Update the tool_filter_with_scanners filters to also pass reportType + scanner. Since this component is shared, need to make sure this is also acceptable on the project page.

backend Implemenation

  1. Address the performance concerns, so the scanners data can be made available to the frontend

There are some performance concerns at the "group" and "instance (security control)" level for the tool filter on the vulnerability report. As mentioned here, scroll to the end, specifically pointing to this comment.

This is problematic because there is one scanner per (project, report_type, vendor), which means that in groups with lots of scanner adoption there is around 5 scanners per project. If you have 800 projects with all these scanners on (a realistic possibility), then this service is returning 4000 objects.

Due to this scanners are being removed on the Group and Instance level > !130059 (merged)

Edited by Samantha Ming