FE: Create "Container registry vulnerabilities"tab
Why are we doing this work
- users want the vulnerabilities found from continuous container registry scanning to be separated into their own tab
Relevant links
Non-functional requirements
-
Documentation: -
Testing:
Implementation plan
-
Add behind feature flag CS_FOR_REGISTRY
-
If using @skip
or@include
directive, then the resolver must exist in backend FIRST but featured flag out to returnundefined
ornull
if the flag is off. -
Otherwise client side feature flag uses two versions of a query conditionally. -
frontend add a new Container registry vulnerabilities
tab to the vulnerability_report_tabs for the project and group level-
frontend do request continuous container registry vulnerability scan the Container registry vulnerabilties
tab -
frontend do not request continuous container registry vulnerability scan for other tabs -
frontend ensure the new tab does not show up on the security center -
frontend ensure the new tab does show up at project/group level.
-
-
frontend show the image
,severity
, andstatus
filters -
frontend show the Image and tag
column
Implementation Details
-
Make changes as described in POC !145758 (fc6d9ed9) -
Add unit tests
backend backend Needs
-
Look at !145758 (fc6d9ed9) -
Need to add new image_and_tag
key or something similar for new table column -
Need to add new report type to https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/assets/javascripts/security_dashboard/store/constants.js?ref_type=heads#L23-31
I can add the type, I just need to know the new report type classification as that is what filters the content in the tabs.
-
NO-OP
resolvers must exist for the fields we are requestingimage_and_tag
behind feature flag if I am to use the@include
,@skip
directives, otherwise a javascript exception will occur.
Weight Reasoning
-
POC saved us some time, BUT need to add a good amount of unit tests for project level and group level.
-
Still need to handle feature flag logic. Depending if backend gets feature flagged resolvers implemented first, or if I will need to work around that by implementing 2 queries client side. 2 query versions increases complexity.
Verification steps
- Upload a GitLab Ultimate license
- Navigate to a project => Security & Compliance => Vulnerability Report => Container registry vulnerabilities tab
- Ingest a SBOM report with
metadata.tools
as registry event set as a part of [CS For Registry] Set SBOM occurrence source to... (#443634 - closed) - Verify that db records are created as per the requirements.
- Run advisory scanner and report parser.
- Verify that the vulnerabilities are created with report_type: CONTAINER_SCANNING_FOR_REGISTRY
- Verify that the group and project GraphQL endpoints returns these vulnerabilities on applying the filter for report_type: CONTAINER_SCANNING_FOR_REGISTRY.