Split the "Tool" filter into separate filters for "Scanner" and "Report Type"

Why are we doing this work

Currently, the filters for Scanner and Report Type are incomplete and unreliable. The tool filter assumes each scanner produces only one type of vulnerability, but some scanners, (e.g. GitLab SBoM Vulnerability Scanner) generate multiple types (e.g., Dependency Scanning, Container Scanning). At the moment, the filter only sends the scanner argument to the GraphQL query without the report_type argument. This is the reason for the incomplete filtering.

The Tool column across multiple views (Vulnerability Report, Vulnerability Single View, and Pipeline Scanning Security Results) displays Report Type data, which creates confusion due to its mismatched header.

Relevant links

Information that the developer might need to refer to when implementing the issue.

Related issue: #498981 (closed)
Design: Showing the Scanner Name in a Text Box: https://gitlab.com/-/project/278964/uploads/9bc8b48a2d2714a3d733ae6829853228/image.png

Non-functional requirements

Documentation: We will need to change the documentation here
Feature flag: Yes, for development and de-risk purposes we are working behind feature flag vulnerability_report_type_scanner_filter . See feature flag rollout issue
Performance: Ensure no delays in rendering updated columns and filters
Testing: Ensure frontend tests cover filter interactions and column header updates.

Implementation plan

This issue will be broken down into multiple smaller issues and MRs for better manageability and a more organized process.This change will be gated behind the new feature flag vulnerability_report_type_scanner_filter.

Verification Steps

Project Level

Renamed Tool Header

Go to: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report . The second to last column should be called Report type.
Click on one of the vulnerabilities. With the feature flag enabled there should be a category shown in the vulnerability called Report Type.
Go to one of the security pipelines. Just like for the Vulnerability Report overview, there should be a column with the header Report Type when the feature flag is enabled.

Scanner Filter

Go to: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report
Look for the Scanner option when you open the Search/Filter menu. It should appear alongside other filter options.
After clicking Scanner, you'll see a list of available scanners you can filter by.
Pick any scanner from the list - you'll notice the Filter/Search updates to show "Scanner || [your selected scanner]".

Report Type Filter

Go to: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report
Look for the Report type option when you open the Search/Filter menu. It should appear alongside other filter options.
After clicking Report type, you'll see a list of available Report Types you can filter by. Please note that only the Report types should be shown, not the scanners.
Pick any Report type from the list. Only the reports that have this Report Type, will now be shown. When looking at the Filter/Search bar, you should see: "Report type || [your selected report type]"

Display Scanner Vendor Name on Hover over Report type cell

Go to: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report
Hover over the Report type cell box. After the creation of this issue, a text box will be in place and will show e.g. Vendor: scannername. (See design under relevant links)

Group Level

Renamed Tool Header on Group Level

Go to https://gitlab.com/groups/gitlab-org/-/security/vulnerabilities
The second to last column should be called Report type.
Click on the Search/Filter bar. scanner should not appear as a filter here.

Edited Mar 20, 2025 by Charlie Kroon