Add group project security status to the pdf export
What does this MR do and why?
Context
In previous MRs, we added the project vulnerabilities over time and the group vulnerabilities over time components to the (still under development/FF) PDF security report.
We use a couple of gems, prawn and prawn-svg, to render this PDF report. The prawn family of gems provide a DSL for building pdf UI components1.
Note
We so far have put the bulk of the DSL rendering code in the lib/gitlab/pdf/*
This change
For the group-level project grades, we are receiving a json blob from the front-end that captures the current dashboard state in the web UI.2
We then:
- do some pre-munging of the data to make it convenient to work with and validate it has the expected data.
- then construct an SVG string, which has the appearance of a table
- render that SVG to the pdf using
prawn-svg- this svg includes all of the UI except for the project dashboard links
- render the project links on top of the SVG
- this is done to use prawn's
textbox, which has support for wrapping/truncating, links, etc.
- this is done to use prawn's
References
Screenshots or screen recordings
| Before | After |
|---|---|
| todo |  |
| Screencast_from_2025-06-24_22-59-29 | Screencast_from_2025-06-26_19-27-47 |
How to set up and validate locally
prerequisites:
- ee-enabled gdk
- a project with active vulnerabilities (guide)
To save time having to wait for the worker to get scheduled, you can change the worker to run `inline` with
this patch
1 file changed, 1 insertion(+), 1 deletion(-)
ee/app/services/vulnerability_exports/create_service.rb | 2 +-
modified ee/app/services/vulnerability_exports/create_service.rb
@@ -27,7 +27,7 @@ def execute
**create_params
)
- ::VulnerabilityExports::ExportWorker.perform_async(vulnerability_export.id)
+ ::VulnerabilityExports::ExportWorker.perform_inline(vulnerability_export.id)
if vulnerability_export.persisted?
ServiceResponse.success(payload: { vulnerability_export: vulnerability_export })- Enable the feature flag
bundle exec rails runner 'Feature.enable(:vulnerabilities_pdf_export)' - If The frontend is not merged yet (!194781 (merged)), you can apply these patches to get the UI for local testing
curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194781.patch | git apply - visit a group security dashboard
- click 'export'
- eventually, you should see an email at http://gdk.test:3000/rails/letter_opener/
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
epic: &16989 (closed)
related to: #538851 (closed)
-
There is also the
prawn-tablegem, which is an official gem of the Prawn project. That gem was not added due to issues discussed in this MR thread. ↩ -
There is some unused data in this json blob, which could be trimmed in future front-end MRs to reduce payload size ↩