Backend - Add filtering support to Dependency APIs

TL;DR

Add malware filter parameter to dependency APIs so users can filter dependency lists by malware status.

Background

The backend architecture for storing malware package data is still being finalized. See:

• &20538 - Ingest malicious advisories in PMDB
• Architecture spike

This issue outlines the API requirements that the frontend needs. Implementation details should be refined by the backend engineer once the data storage approach is decided.

API Requirements

GraphQL (Required)

# Project-level
query {
  project(fullPath: "...") {
    dependencies(malware: true) {  # NEW PARAMETER
      nodes { ... }
    }
  }
}

# Group-level
query {
  group(fullPath: "...") {
    dependencies(malware: true) {  # NEW PARAMETER
      nodes { ... }
    }
  }
}

REST (Conditional)

Endpoint	Required?
GET /api/v4/projects/:id/dependencies	No - fully migrated to GraphQL
GET /api/v4/groups/:id/dependencies?malware=true	Conditional - see migration note below

GraphQL Migration Note

• Project-level dependencies: Fully migrated to GraphQL. No REST API changes needed.
• Group-level dependencies: Migration is WIP (&17254). If migration has not completed when this work is picked up, both GraphQL and REST APIs will need the filter parameter.

Filter Behavior

Parameter Value	Expected Result
true	Returns only malware dependencies
false	Returns only non-malware dependencies
null/omitted	Returns all dependencies (current behavior)

The filter must work in combination with existing filters (license, package manager, etc.).

License Gating

When the SSCS add-on is not active, the filter parameter should be ignored or return an empty result (TBD). The malware field on returned items will be null to indicate the feature is not available (see Backend - Expose malware status in APIs).

Acceptance Criteria

• GraphQL project.dependencies accepts malware: Boolean argument
• GraphQL group.dependencies accepts malware: Boolean argument
• REST group endpoint accepts malware param (if not migrated to GraphQL)
• Filter correctly identifies malware based on identifiers
• Filter combines with existing filters

Context

Malware Identification

Malware can be identified by:

• CWE-506 (Embedded Malicious Code) - always present for malware
• Malware identifier prefix - format: GLAM-*

Estimate

/estimate [BE to provide]

Dependencies

• Blocked by: Identifier prefix decision in &20538 (closed)
• Should coordinate with: Backend - Expose malware status in APIs (share malware detection logic)
• Blocks: Frontend - Add filter token to Dependency Lists
• Parent: Malicious Package Status Filters