## TL;DR Hide irrelevant fields (Solution, CVSS, EPSS, KEV) and ensure malware-specific fields display correctly on the Vulnerability Details page. ## Acceptance Criteria ### Fields to HIDE for malware vulnerabilities - [x] **Solution field**: Hidden (legal liability concern - we cannot advise remediation) - [x] **CVSS score section**: Hidden (not applicable to malware) - [x] **EPSS score section**: Hidden (not applicable to malware) - [x] **KEV status**: Hidden (not applicable to malware) ### Fields to SHOW for malware vulnerabilities - [ ] **Name**: Format `Malware in <package name>` (from GLAD data) - [ ] **Reachability**: Show "In use" or "Not available" status - [ ] **Location**: Display file path where malicious package was detected - [ ] **Evidence section**: Display "Malicious package: \<package_name\>" - [ ] **CWE-506 identifier**: Displayed and links to MITRE (https://cwe.mitre.org/data/definitions/506.html) - [ ] **Malware identifier**: Displayed and links to GitLab Advisory Database (format TBD - see note below) - [ ] **Links section**: GitLab Advisory DB, GitHub Advisory DB, any other GLAD-provided links ### General - [x] Behind feature flag `malicious_package_badges` - [ ] All existing fields continue to work for CVE vulnerabilities ## Context ### Identifier Format (PENDING DECISION) Per discussion in [&20538](https://gitlab.com/groups/gitlab-org/-/epics/20538): - `MAL-*` identifiers are owned by OpenSSF - GitLab cannot use - Proposed format: `GLAM-*` or similar - **Implementation should handle whatever prefix is decided** The identifier linking logic should be flexible to accommodate the final decision. ## Implementation Details ### GraphQL Field Availability The `isMalicious` field may not be available on all GitLab instances immediately. Use the `@gl_introduced` directive for graceful degradation: ```graphql isMalicious @gl_introduced ``` **Notes:** - Executable directives don't support arguments - For fragments, use the directive in the fragment nodes See [GraphQL style guide - Mitigation](https://docs.gitlab.com/development/api_graphql_styleguide/#mitigation). ### Files to Modify - `ee/app/assets/javascripts/vulnerabilities/components/vulnerability.vue` - Main details component - `ee/app/assets/javascripts/vulnerabilities/components/solution.vue` - Add conditional for malware - `ee/app/assets/javascripts/vulnerabilities/components/severity.vue` - Hide CVSS for malware - `ee/app/assets/javascripts/vulnerabilities/components/identifiers.vue` - Ensure malware identifier links work - `ee/app/assets/javascripts/vulnerabilities/graphql/vulnerability.query.graphql` - Ensure `isMalicious` included ### Implementation Approach 1. **Add computed properties** to check `vulnerability.isMalicious` for conditional rendering 2. **Hide enrichment data** (CVSS/EPSS/KEV) when `isMalicious` is true 3. **Hide solution section** when `isMalicious` is true 4. **Update identifier linking** to handle malware identifier patterns and link to appropriate URLs: - CWE-506 → MITRE CWE database - GLAD-MAL-* → GitLab Advisory Database malware section 5. **Ensure reachability, location, and evidence** sections display for malware vulnerabilities ## Testing Approach - [ ] Component tests: Solution hidden when `isMalicious: true` - [ ] Component tests: CVSS/EPSS/KEV hidden when `isMalicious: true` - [ ] Component tests: All fields shown for CVE vulnerabilities - [ ] Component tests: CWE-506 links to correct MITRE URL - [ ] Component tests: Malware identifier links to GitLab Advisory DB - [ ] Snapshot tests comparing malware vs CVE rendering - [ ] Tests should be flexible for identifier prefix changes ## Estimate `/estimate 3d` ## Dependencies - Blocked by: [Backend - Expose malware status in APIs](https://gitlab.com/gitlab-org/gitlab/-/issues/587647) - Blocked by: Identifier prefix decision in [&20538](https://gitlab.com/groups/gitlab-org/-/epics/20538) - Parent: [Display Malicious Package Information](https://gitlab.com/groups/gitlab-org/-/epics/20572)