Backend - Expose malware package status in APIs

TL;DR

Add malware field to vulnerability and dependency API responses so the frontend can display malware badges.

Background

The backend architecture for storing malicious package data is still being finalized. See:

This issue outlines the API requirements that the frontend needs. Implementation details should be refined by the backend engineer once the data storage approach is decided.

API Requirements

GraphQL (Required)

Type	Field	Return Type	Description
`VulnerabilityType`	`malware`	`Boolean` (nullable)	Malware status (see values below)
`DependencyType`	`malware`	`Boolean` (nullable)	Malware status (see values below)

Schema Changes

# VulnerabilityType - used for both Group- and Project Reports

type Vulnerability {
  # ... existing fields ...
  """
  Indicates whether the vulnerability is associated with a malware package.
  Returns `null` if the feature is not available.
  """
  malware: Boolean
}

# DependencyInterface (applies to both Dependency and DependencyAggregation types)

interface DependencyInterface {
  # ... existing fields ...
  """
  Indicates whether the dependency is malware.
  Returns `null` if the feature is not available.
  """
  malware: Boolean
}

Field Values (License Gating)

The malware field is nullable to support license gating:

Value	Meaning
`true`	Malware package detected
`false`	Not a malware package
`null`	Feature not available (SSCS add-on not active)

This allows the frontend to distinguish between "not malware" and "feature not available" to show appropriate messaging/upsell.

REST - Dependencies (Conditional)

Endpoint	Field	Required?
`GET {groupNamespace}/-/dependencies.json`	`malware`	Conditional - see migration note below

GraphQL Migration Note

Project-level dependencies: Fully migrated to GraphQL. No REST API changes needed.
Group-level dependencies: Migration is WIP (&17254). If migration has not completed when this work is picked up, both GraphQL and REST APIs will need to be updated.

Acceptance Criteria

GraphQL VulnerabilityType.malware field available
GraphQL DependencyType.malware field available (project + group)
REST GET /api/v4/groups/:id/dependencies includes malware field (if group-level migration not complete)
Field correctly identifies malware based on identifiers (CWE-506 and/or malware prefix - see context below)

Context

Malware Identification (PENDING DECISION)

Malware can be identified by:

CWE-506 (Embedded Malicious Code) - always present for malware
Malware identifier prefix - GLAM-*)

The implementation should be flexible to accommodate the final identifier format decision.

Estimate

/estimate [BE estimate pending]

Dependencies

Scope depending on: &17254
Blocks: Frontend - Display badges on Dependency Lists, Frontend - Display badges on Vulnerability Reports, Frontend - Customize Vulnerability Details page
Parent: Display Malicious Package Information

Edited Apr 16, 2026 by David Pisek