Skip to content

Add group vulnerabilities history to the pdf export

Michael Beckerrequested to merge
524057-include-group-vulns-over-time-in-pdf into master

What does this MR do and why?

Context

In a previous MR, we added the "vulnerabilities over time" project-level dashboard to the vulnerability PDF report export.

We use the prawn gem to render this PDF report, which provides a DSL for build pdf UI components.

Some additional context:

  1. The entire PDF reporting feature is behind a feature flag (both backend and frontend ingress points)
  2. This report is under active development. After the first draft of the three main pdf components are in (this MR is 1/3), design will be putting the pdf under a microscope. There will be "fit and finish" type issues which are opportunities to iterate on the components.
  3. The pdf components themselves (files under lib/gitlab/pdf/security/*) are disposable. If a new design comes in, writing a new component from scratch is ideal. the prawn code is all ui-and-layout-specific code the is necessarily heavily coupled to the design.

This change

This change is similar to the previous project-level MR, except this is for the group-level dashboard.

The SVG

There is some pre-processing of the svg required:1

  1. remove the svg from the "data:image/svg+xml;charset=UTF-8, ... " wrapper
  2. un-urlencode the string
  3. replace css variables with hard-coded colors2

References

Screenshots or screen recordings

Before After
Screenshot_from_2025-06-16_21-46-38 image
n/a Screencast_from_2025-06-18_17-31-31

How to set up and validate locally

prerequisites:

  • ee-enabled gdk
  • a project with active vulnerabilities (guide)

To save time having to wait for the worker to get scheduled, you can change the worker to run `inline` with

this patch 
1 file changed, 1 insertion(+), 1 deletion(-)
ee/app/services/vulnerability_exports/create_service.rb | 2 +-

modified   ee/app/services/vulnerability_exports/create_service.rb
@@ -27,7 +27,7 @@ def execute
         **create_params
       )
 
-      ::VulnerabilityExports::ExportWorker.perform_async(vulnerability_export.id)
+      ::VulnerabilityExports::ExportWorker.perform_inline(vulnerability_export.id)
 
       if vulnerability_export.persisted?
         ServiceResponse.success(payload: { vulnerability_export: vulnerability_export })
  1. Enable the feature flag 
    bundle exec rails runner 'Feature.enable(:vulnerabilities_pdf_export)'
  2. The frontend is not merged yet, so apply these patches to get the UI for local testing 
    curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193023.patch | git apply
curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193157.patch | git apply
  3. visit a group security dashboard
  4. click 'export'
  5. eventually, you should see an email at http://gdk.test:3000/rails/letter_opener/

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

epic: &16989 (closed)
related to: #524057 (closed)

  1. We will investigate in followup work if there are any knobs on the charting library that we can use to receive the SVG in a better state.

  2. prawn-svg cannot render css variables

Edited by Michael Becker

Merge request reports