## TL;DR Expose malware status in APIs, display badges on Dependency Lists and Vulnerability Reports, and customize the Vulnerability Details page to show malware-appropriate information. ## Scope ### In Scope - Backend API exposure of `isMalicious` fields - Export support for malware status in dependency list exports - "Malicious" badge on Dependency List components - "Malicious" badge on Vulnerability Report rows - Conditional field visibility on Vulnerability Details page - Rename "Vulnerabilities" column to "Risk" in Dependency List ### Out of Scope - Filtering (covered in [Malicious Package Status Filters](https://gitlab.com/groups/gitlab-org/-/epics/20573)) - License gating (covered in [Gate Malicious Packages Behind SSCS Add-on](https://gitlab.com/groups/gitlab-org/-/epics/20574)) ## Phase * **Epic Phase:** Phase 1 - Display Malicious Package Information * **Parent Epic:** Malicious Package UI Representation and Filters ## Problem Statement Users cannot visually distinguish malicious packages from regular CVE vulnerabilities. The Vulnerability Details page shows irrelevant fields (CVSS, EPSS, KEV, Solution) for malware findings that don't have this data. ## Proposed Approach 1. Backend exposes `isMalicious` computed field on API responses 2. Frontend consumes field and conditionally renders badges 3. Details page uses field to hide/show appropriate sections ## Feature Flag - [x] Required - **Flag name:** `malicious_package_badges` - **Default state:** Disabled - **Rollout plan:** Enable for specific projects -> percentage rollout -> GA ## Success Criteria - [ ] APIs expose `isMalicious` boolean fields - [ ] Dependency list export includes malware status - [ ] Malicious dependencies show red badge in Dependency List - [ ] Malicious vulnerabilities show badge in Vulnerability Report - [ ] Details page hides Solution/CVSS/EPSS/KEV for malware - [ ] Details page shows Reachability, Location, Evidence for malware - [ ] Details page shows CWE-506 and MAL-* identifiers with correct links - [ ] Column header updated to "Risk" ## Timeline `/estimate TBD (BE estimates pending)` ## Dependencies - Blocked by: [&20538 - Ingest malicious advisories in PMDB](https://gitlab.com/groups/gitlab-org/-/epics/20538) (malware data must be available) - Blocks: [Malicious Package Status Filters](https://gitlab.com/groups/gitlab-org/-/epics/20573) (badges should exist before filters) ## Tasks - [ ] [Backend - Expose malware status in APIs](https://gitlab.com/gitlab-org/gitlab/-/issues/587647) - [ ] [Backend - Include malware status in dependency exports](https://gitlab.com/gitlab-org/gitlab/-/issues/587842) - [ ] [Frontend - Display badges on Dependency Lists](https://gitlab.com/gitlab-org/gitlab/-/issues/587653) - [ ] [Frontend - Display badges on Vulnerability Reports](https://gitlab.com/gitlab-org/gitlab/-/issues/587654) - [ ] [Frontend - Customize Vulnerability Details page](https://gitlab.com/gitlab-org/gitlab/-/issues/587655) - [ ] [Frontend - Rename column to "Risk"](https://gitlab.com/gitlab-org/gitlab/-/issues/587656) ## Implementation Notes _Keep this updated as work progresses._ ## Resources - Design: https://gitlab.com/gitlab-org/gitlab/-/issues/551225