Add project vulnerabilities history to the pdf export

Michael Beckerrequested to merge
524056-include-project-vulns-over-time-in-pdf into master

What does this MR do and why?

Context

In a previous MR, we started consuming SVG data from the frontend "vulnerabilities over time" dashboard with the idea of rendering it in the pdf report

Some additional context:

  1. The entire PDF reporting feature is behind a feature flag (both backend and frontend ingress points)
  2. This report is under active development. After the first draft of the three main pdf components are in (this MR is 1/3), design will be putting the pdf under a microscope. There will be "fit and finish" type issues which are opportunities to iterate on the components.
  3. The pdf components themselves (files under lib/gitlab/pdf/security/*) are disposable. If a new design comes in, writing a new component from scratch is ideal. the prawn code is all ui-and-layout-specific code the is necessarily heavily coupled to the design.

This change

For the pdf component there are 3 main elements

  1. The report title
  2. The SVG from the front end
  3. The key for the chart

The SVG

There is some pre-processing of the svg required:1

  1. remove the svg from the "data:image/svg+xml;charset=UTF-8, ... " wrapper
  2. un-urlencode the string
  3. replace css variables with hard-coded colors2

The chart key

The front end is not able to send the key, as it is rendered in html. So, we implement a basic key with prawn's native components.

Important

The web UI uses the chart key to toggle the different severity values in the chart. We are just showing a static list for now. We haven't yet decided how we want to render "toggled off" values. So, for now we have a static key

References

Screenshots/recordings

Before After
Screenshot_from_2025-06-16_21-46-38 Screenshot_from_2025-06-16_21-46-31
Screencast_from_2025-06-16_21-44-43 Screencast_from_2025-06-16_21-45-48

How to set up and validate locally

prerequisites:

  • ee-enabled gdk
  • a project with active vulnerabilities (guide)

To save time having to wait for the worker to get scheduled, you can change the worker to run `inline` with

this patch 
1 file changed, 1 insertion(+), 1 deletion(-)
ee/app/services/vulnerability_exports/create_service.rb | 2 +-

modified   ee/app/services/vulnerability_exports/create_service.rb
@@ -27,7 +27,7 @@ def execute
         **create_params
       )
 
-      ::VulnerabilityExports::ExportWorker.perform_async(vulnerability_export.id)
+      ::VulnerabilityExports::ExportWorker.perform_inline(vulnerability_export.id)
 
       if vulnerability_export.persisted?
         ServiceResponse.success(payload: { vulnerability_export: vulnerability_export })
  1. Enable the feature flag 
    bundle exec rails runner 'Feature.enable(:vulnerabilities_pdf_export)'
  2. apply this patch to get the UI 
    curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193023.patch | git apply
  3. visit a project security dashboard
  4. click 'export'
  5. eventually, you should see an email at http://gdk.test:3000/rails/letter_opener/

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

epic: Add PDF export of security reports (&16989 - closed)
Related to: #524056 (closed)

Changelog: added
EE: true

  1. We will investigate in followup work if there are any knobs on the charting library that we can use to receive the SVG in a better state.

  2. prawn-svg cannot render css variables

Edited by Michael Becker

Merge request reports