Frontend - Customize Vulnerability Details page

TL;DR

Hide irrelevant fields (Solution, CVSS, EPSS, KEV) and ensure malware-specific fields display correctly on the Vulnerability Details page.

Acceptance Criteria

Fields to HIDE for malware vulnerabilities

• Solution field: Hidden (legal liability concern - we cannot advise remediation)
• CVSS score section: Hidden (not applicable to malware)
• EPSS score section: Hidden (not applicable to malware)
• KEV status: Hidden (not applicable to malware)

Fields to SHOW for malware vulnerabilities

• Name: Format Malware in <package name> (from GLAD data)
• Reachability: Show "In use" or "Not available" status
• Location: Display file path where malware package was detected
• Evidence section: Display "Malware package: <package_name>"
• CWE-506 identifier: Displayed and links to MITRE (https://cwe.mitre.org/data/definitions/506.html)
• Malware identifier: Displayed and links to GitLab Advisory Database (format TBD - see note below)
• Links section: GitLab Advisory DB, GitHub Advisory DB, any other GLAD-provided links

General

• Behind feature flag malicious_package_badges
• All existing fields continue to work for CVE vulnerabilities

Context

Identifier Format (PENDING DECISION)

Per discussion in &20538 (closed):

• MAL-* identifiers are owned by OpenSSF - GitLab cannot use
• Proposed format: GLAM-* or similar
• Implementation should handle whatever prefix is decided

The identifier linking logic should be flexible to accommodate the final decision.

Implementation Details

GraphQL Field Availability

The malware field may not be available on all GitLab instances immediately. Use the @gl_introduced directive for graceful degradation:

malware @gl_introduced

Notes:

• Executable directives don't support arguments
• For fragments, use the directive in the fragment nodes

See GraphQL style guide - Mitigation.

Files to Modify

• ee/app/assets/javascripts/vulnerabilities/components/vulnerability.vue - Main details component
• ee/app/assets/javascripts/vulnerabilities/components/solution.vue - Add conditional for malware
• ee/app/assets/javascripts/vulnerabilities/components/severity.vue - Hide CVSS for malware
• ee/app/assets/javascripts/vulnerabilities/components/identifiers.vue - Ensure malware identifier links work
• ee/app/assets/javascripts/vulnerabilities/graphql/vulnerability.query.graphql - Ensure malware included

Implementation Approach

1. Add computed properties to check vulnerability.malware for conditional rendering
2. Hide enrichment data (CVSS/EPSS/KEV) when malware is true
3. Hide solution section when malware is true
4. Update identifier linking to handle malware identifier patterns and link to appropriate URLs:
   • CWE-506 → MITRE CWE database
   • GLAD-MAL-* → GitLab Advisory Database malware section
5. Ensure reachability, location, and evidence sections display for malware vulnerabilities

Testing Approach

• Component tests: Solution hidden when malware: true
• Component tests: CVSS/EPSS/KEV hidden when malware: true
• Component tests: All fields shown for CVE vulnerabilities
• Component tests: CWE-506 links to correct MITRE URL
• Component tests: Malware identifier links to GitLab Advisory DB
• Snapshot tests comparing malware vs CVE rendering
• Tests should be flexible for identifier prefix changes

Estimate

/estimate 3d

Dependencies

• Blocked by: Backend - Expose malware status in APIs
• Blocked by: Identifier prefix decision in &20538 (closed)
• Parent: Display Malicious Package Information