## TL;DR Add `malware` field to vulnerability and dependency API responses so the frontend can display malware badges. ## Background The backend architecture for storing malicious package data is still being finalized. See: - [&20538 - Ingest malicious advisories in PMDB](https://gitlab.com/groups/gitlab-org/-/epics/20538) - [Architecture spike](https://gitlab.com/gitlab-org/gitlab/-/issues/583911) This issue outlines the **API requirements** that the frontend needs. Implementation details should be refined by the backend engineer once the data storage approach is decided. ## API Requirements ### GraphQL (Required) | Type | Field | Return Type | Description | |------|-------|-------------|-------------| | `VulnerabilityType` | `malware` | `Boolean` (nullable) | Malware status (see values below) | | `DependencyType` | `malware` | `Boolean` (nullable) | Malware status (see values below) | #### Schema Changes ```graphql # VulnerabilityType - used for both Group- and Project Reports type Vulnerability { # ... existing fields ... """ Indicates whether the vulnerability is associated with a malware package. Returns `null` if the feature is not available. """ malware: Boolean } # DependencyInterface (applies to both Dependency and DependencyAggregation types) interface DependencyInterface { # ... existing fields ... """ Indicates whether the dependency is malware. Returns `null` if the feature is not available. """ malware: Boolean } ``` ### Field Values (License Gating) The `malware` field is **nullable** to support license gating: | Value | Meaning | |-------|---------| | `true` | Malware package detected | | `false` | Not a malware package | | `null` | Feature not available (SSCS add-on not active) | This allows the frontend to distinguish between "not malware" and "feature not available" to show appropriate messaging/upsell. ### REST - Dependencies (Conditional) | Endpoint | Field | Required? | |----------|-------|-----------| | `GET {groupNamespace}/-/dependencies.json` | `malware` | **Conditional** - see migration note below | ### GraphQL Migration Note - **Project-level dependencies:** Fully migrated to GraphQL. No REST API changes needed. - **Group-level dependencies:** Migration is WIP (&17254). If migration has not completed when this work is picked up, **both GraphQL and REST APIs will need to be updated**. ## Acceptance Criteria - [ ] GraphQL `VulnerabilityType.malware` field available - [ ] GraphQL `DependencyType.malware` field available (project + group) - [ ] REST `GET /api/v4/groups/:id/dependencies` includes `malware` field (if group-level migration not complete) - [ ] Field correctly identifies malware based on identifiers (CWE-506 and/or malware prefix - see context below) ## Context ### Malware Identification (PENDING DECISION) Malware can be identified by: - **CWE-506** (Embedded Malicious Code) - always present for malware - **Malware identifier prefix** - `GLAM-*`) The implementation should be flexible to accommodate the final identifier format decision. ## Estimate `/estimate [BE estimate pending]` ## Dependencies - Scope depending on: &17254 - Blocks: [Frontend - Display badges on Dependency Lists](https://gitlab.com/gitlab-org/gitlab/-/issues/587653), [Frontend - Display badges on Vulnerability Reports](https://gitlab.com/gitlab-org/gitlab/-/issues/587654), [Frontend - Customize Vulnerability Details page](https://gitlab.com/gitlab-org/gitlab/-/issues/587655) - Parent: [Display Malicious Package Information](https://gitlab.com/groups/gitlab-org/-/epics/20572)