Show Vulnerability Dashboard when we have user uploaded SBOM or Dependency Scanning/Container Scanning Job and No Security Reports.
Surfacing the last pipeline that generated CVS happened in #418326 (closed)
Dependency Scanning and License scanning are shifting from generating security reports to generating SBOMs that are ingested.
SBOMs are now being generated from a security scanning job like Dependency scanning. Users can define custom non-security report jobs that upload sboms. As a result sbom artifacts can exist without an official "Security Reports" job.
Problem
Without the security reports job, the Vuln Dashboard page shows an empty state since it relies on the assumption that security reports exist.
Right now we show SBOM pipeline status for pipelines generated from Dependency Scanning jobs. However, there is an scenario where if a user defines a custom job and uploads their own SBOM, or once Dependency Scanning no longer generates Security Reports and no other Security Report jobs exist.
If a user doesn't have at least one security report job in their pipeline, the Vulnerability Dashboard renders an empty state so all the UI is hidden.
This occurs when:
- User has 0 security jobs of any kind in their pipeline (Soon Dependency Scanning/Container Scanning will stop generating security reports)
- User uploads SBOM manually through a custom job.
Solution
- Update the UI logic to gracefully render the security reports page when no Security Report jobs exist in a pipeline.
Rough Draft Implementation plan
- Update
isReportConfigured() {
// A report is configured when either a pipeline generated a security report, or when
// vulnerabilities are added through the new vulnerability page or API. There are 3 cases:
// 1. No vulnerabilities exist and no pipeline has ever generated a security report. The
// report is not configured.
// 2. Vulnerabilities were added through the new vulnerability page or the API. Whether a
// pipeline was run does not matter, the report is configured.
// 3. A pipeline was run that outputted a security report. Whether vulnerabilities exist does
// not matter, the report is configured.
return Boolean(this.pipeline.id) || Boolean(this.sbomPipeline.id) || this.hasVulnerabilities;
},
-
Update and verify template renders OK if SBOM only exists and not pipeline ID. Need to verify combination of states between having Pipeline, SBOM, and Vulns render correctly since we have two ORs.
-
Estimate is to account for testing all the state combinations, and tweaking template and styles to render correctly for the possible UI states.