## TL;DR Add `malware` filter parameter to dependency APIs so users can filter dependency lists by malware status. ## Background The backend architecture for storing malware package data is still being finalized. See: - [&20538 - Ingest malicious advisories in PMDB](https://gitlab.com/groups/gitlab-org/-/epics/20538) - [Architecture spike](https://gitlab.com/gitlab-org/gitlab/-/issues/583911) This issue outlines the **API requirements** that the frontend needs. Implementation details should be refined by the backend engineer once the data storage approach is decided. ## API Requirements ### GraphQL (Required) ```graphql # Project-level query { project(fullPath: "...") { dependencies(malware: true) { # NEW PARAMETER nodes { ... } } } } # Group-level query { group(fullPath: "...") { dependencies(malware: true) { # NEW PARAMETER nodes { ... } } } } ``` ### REST (Conditional) | Endpoint | Required? | |----------|-----------| | `GET /api/v4/projects/:id/dependencies` | **No** - fully migrated to GraphQL | | `GET /api/v4/groups/:id/dependencies?malware=true` | **Conditional** - see migration note below | ### GraphQL Migration Note - **Project-level dependencies:** Fully migrated to GraphQL. No REST API changes needed. - **Group-level dependencies:** Migration is WIP ([&17254](https://gitlab.com/groups/gitlab-org/-/work_items/17254)). If migration has not completed when this work is picked up, **both GraphQL and REST APIs will need the filter parameter**. ### Filter Behavior | Parameter Value | Expected Result | |-----------------|-----------------| | `true` | Returns only malware dependencies | | `false` | Returns only non-malware dependencies | | `null`/omitted | Returns all dependencies (current behavior) | The filter must work in combination with existing filters (license, package manager, etc.). ### License Gating When the SSCS add-on is not active, the filter parameter should be ignored or return an empty result (TBD). The `malware` field on returned items will be `null` to indicate the feature is not available (see [Backend - Expose malware status in APIs](https://gitlab.com/gitlab-org/gitlab/-/issues/587647)). ## Acceptance Criteria - [ ] GraphQL `project.dependencies` accepts `malware: Boolean` argument - [ ] GraphQL `group.dependencies` accepts `malware: Boolean` argument - [ ] REST group endpoint accepts `malware` param (if not migrated to GraphQL) - [ ] Filter correctly identifies malware based on identifiers - [ ] Filter combines with existing filters ## Context ### Malware Identification Malware can be identified by: - **CWE-506** (Embedded Malicious Code) - always present for malware - **Malware identifier prefix** - format: `GLAM-*` ## Estimate `/estimate [BE to provide]` ## Dependencies - Blocked by: Identifier prefix decision in [&20538](https://gitlab.com/groups/gitlab-org/-/epics/20538) - Should coordinate with: [Backend - Expose malware status in APIs](https://gitlab.com/gitlab-org/gitlab/-/issues/587647) (share malware detection logic) - Blocks: [Frontend - Add filter token to Dependency Lists](https://gitlab.com/gitlab-org/gitlab/-/issues/587762) - Parent: [Malicious Package Status Filters](https://gitlab.com/groups/gitlab-org/-/epics/20573)