[gitlab-org/gitlab] Group vulnerabilities by top-level direct dependency in vulnerability reports

### ROOT CAUSE The current vulnerability report displays vulnerabilities in a flat list, without grouping them by their top-level direct dependency. This makes it difficult for developers to understand which direct dependencies are causing vulnerabilities and how updating a single parent package could resolve multiple downstream vulnerabilities. The lack of grouping obscures potential optimizations for dependency updates. ### CODE FIX To address this, we need to modify the backend API to return vulnerabilities grouped by their top-level direct dependency. Here's the implementation: 1. **Backend Change**: Update the `/api/v4/projects/{project_id}/security/dependents_vulnerabilities` endpoint to return a grouped structure. ```python # Example backend code (pseudo-code for illustration) def get_grouped_vulnerabilities(project_id): vulnerabilities = fetch_vulnerabilities(project_id) # Existing endpoint returns a list grouped = {} for vuln in vulnerabilities: dependency_name = vuln['dependency_name'] if dependency_name not in grouped: grouped[dependency_name] = [] grouped[dependency_name].append(vuln) return {"grouped_vulnerabilities": grouped} ``` 2. **Frontend Change**: Update the frontend to consume the grouped data and display it in the UI. ```javascript // Example frontend code (pseudo-code for illustration) function fetchGroupedVulnerabilities(projectId) { return fetch(`/api/v4/projects/${projectId}/security/dependents_vulnerabilities`) .then(response => response.json()) .then(data => { const grouped = data.grouped_vulnerabilities; // Render each dependency as a section with its vulnerabilities Object.keys(grouped).forEach(dep => { const section = document.createElement('div'); section.innerHTML = `

${dep}

`; grouped[dep].forEach(vuln => { const vulnEl = document.createElement('div'); vulnEl.textContent = vuln.title; section.appendChild(vulnEl); }); document.getElementById('vulnerability-report').appendChild(section); }); }); } ``` This change groups vulnerabilities by their direct dependency, allowing developers to see all vulnerabilities associated with a single dependency and understand the impact of updating it.