Filter vulnerabilities shown on the Project Dependency List page
What does this MR do and why?
See Make Project Dependency List page show only act... (#353487)
We want to only show detected and confirmed vulnerabilities on the Dependency List page. Dismissed and resolved vulnerabilities have little to no relevance to the SBOM feature: they can be viewed on the Vulnerability Dashboard if needed.
There are two places this needs to occur: the vulnerability count shown next to each SBOM Occurrence, and then the asynchronously loaded list of vulnerabilities for each Occurrence.
- The filtering is done via the Controller / API endpoints with optional params
- The filter params are sent from the frontend: this will be feature flagged by group so that it can be rolled out incrementally / only enabled for GitLab's groups if needed
What is NOT in this MR
- This MR does not affect the Group Dependency List
- There is no UI to toggle this, no configuration option, etc.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| What | Before | After (with FF disabled) | After (with FF enabled) |
|---|---|---|---|
| Project Dependency List page |  |
 |
 |
| Project Dependency List page with Nokogiri expanded |  |
 |
 |
| Group Dependency List page |  |
N/A (no Group FF) | |
| Group Dependency List page with Nokogiri expanded |  |
N/A (no Group FF) |
How to set up and validate locally
Pre-work
To test this you need a project with dismissed vulnerable dependencies.
- Make your own, or clone https://gitlab.com/nmalcolm-public/vulnerable-dependencies
- Ensure a pipeline runs and vulnerabilities are detected
- Change the state of some vulnerabilities to dismissed, resolved, confirmed, etc
Detected and Confirmed vulnerabilities are "active" states. Resolved and dismissed vulnerabilities are "passive" states. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/ee/vulnerability.rb#L21-22
Validate FF-disabled behaviour
- Check out
353487-vuln-filter - Visit your project's home page
- In the sidebar, select
Secure > Dependency list - Note the vulnerability counts shown to the right of each dependency; all vulnerabilities are counted.
- Expand the vulnerable dependencies. Note that all vulnerabilities are present.
- (Optional) Observe the above behaviour for the project's parent group.
- Observe that you can GET the Project Dependencies endpoint with the filters, even though the FF is disabled. The counts should change. E.g. in a new tab, :
https://gdk.test:3443/YOURNAMESPACE/YOURPROJECT/-/dependencies.json?vulnerability_states[]=detected&vulnerability_states[]=confirmed - Observe that you can GET the Occurrences API with the filters, even though the FF is disabled. The array should have different values depending on the filters. E.g. in a new tab:
https://gdk.test:3443/api/v4/occurrences/vulnerabilities?id=OCCURRENCE_ID_HERE&vulnerability_states[]=confirmed&vulnerability_states[]=detected- You can get an OCCURRENCE ID by looking at the network requests when you expand a dependency.
Validate FF-enabled behavior
- In rails console enable the experiment fully
Feature.enable(:project_dependencies_show_only_active_vulnerabilities, your_project) - Navigate to the project dependency list
- Note the vulnerability counts shown to the right of each dependency. It counts only
ACTIVEvulnerabilities. - Expand the vulnerable dependencies. Note that only
ACTIVEvulnerabilities are present. - Navigate to the project's parent group, then Security > Dependency List
- Note that the vulnerability counts, and the expanded lists, show all vulnerabilities.
Closes #353487