Activity Filter Walkthrough
Relevant links:
- Docs: https://docs.gitlab.com/ee/user/application_security/vulnerability_report/#activity-filter
- Example: hasRemediation
UI
- Vulnerabilities List
- Vulnerability Count
- Filter badge
| - | badge |
|---|---|
 |
 |
Pages
- Project: https://gitlab.com/gitlab-org/security-products/oxeye/dogfooding/generic/oxeye-rulez/-/security/vulnerability_report
- Group: https://gitlab.com/groups/gl-demo-ultimate-sming/-/security/vulnerabilities
- Instance (Security Control):
GraphQL Value
| Filter | GraphQL (Boolean) |
|---|---|
| Detection | hasResolution |
| Issue | hasIssues |
| MR | hasMergeRequest |
| Solution | hasRemediations |
FE Code
vulnerability_severities_count!!!
ee/app/assets/javascripts/security_dashboard/components/shared/filters/activity_filter.vue
// GraphQL
ee/app/assets/javascripts/security_dashboard/graphql/queries/group_vulnerabilities.query.graphql
ee/app/assets/javascripts/security_dashboard/graphql/queries/instance_vulnerabilities.query.graphql
ee/app/assets/javascripts/security_dashboard/graphql/queries/project_vulnerabilities.query.graphql
ee/app/assets/javascripts/security_dashboard/graphql/queries/vulnerability_severities_count.query.graphqlProposal
Note: the focus is on Vulnerability Resolution, vulnerability explanation can be tackled later
A. Make new field available in the GraphQL endpoints:
- Group.vulnerabilities
- Group.vulnerabilitySeveritiesCount
- InstanceSecurityDashboard.vulnerabilitySeveritiesCount
- Query.vulnerabilities
- Project.vulnerabilities
- Project.vulnerabilitySeveritiesCount
Example:
B. Possible Names
Actual text will need to confirm with TW (@rdickenson)
hasAiResolution: Boolean
"Has AI Resolution | Does not have AI Resolution"
hasAiExplanation: Boolean
"Has AI Explanation | Does not have AI Explanation"C. Make "glAbilities" available on the Vulnerability Report
All the AI features are behind some sort of ability, we should do the same for the Vulnerability Report page.
Ex: Vulnerability Details Page
glAbilities.resolveVulnerabilityWithAi
glAbilities.explainVulnerabilityWithAipush_frontend_ability(ability: :explain_vulnerability_with_ai, resource: vulnerability, user: current_user)
push_frontend_ability(ability: :resolve_vulnerability_with_ai, resource: vulnerability, user: current_user)The FE will only display this filter if the user has all the proper configuration:
- Setting Configuration "Use GitLab Duo Features"
- Unit Primitives / Cloud connector configuration
- ...others
Badge
It uses the same .vulnerabilities GraphQL endpoint, on the FE we can re-use this logic to display the "AI" badge.
Example: solution-badge
- checks
hasRemediations - MR: Add remediation badge to vulnerability report (!142455 - merged)
Questions
- For
glAbilities.resolveVulnerabilityWithAi, I believe it's restricted to the high confidence CWE. For the vulnerability report page, we probably don't need that? - Possible MVC?
- Could we just filter the vulnerability report by "report type === SAST"?
- The FE will still call the new endpoint,
- But on the BE, it could just reuse the existing "report type === SAST"
- And we have a more robust solution, only the BE will need to update the filter logic
- Could we just filter the vulnerability report by "report type === SAST"?
Edited by Samantha Ming