feat(vulnerability): replace hasSBOM with sbom.status and add SBOM processing UX#445
Open
ybelMekk wants to merge 11 commits into
Open
feat(vulnerability): replace hasSBOM with sbom.status and add SBOM processing UX#445ybelMekk wants to merge 11 commits into
ybelMekk wants to merge 11 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds SBOM status awareness to vulnerability views, replacing hasSBOM query usage with sbom.status and adding processing/failure/no-SBOM UI states.
Changes:
- Updates vulnerability GraphQL queries to fetch
sbom { status, processingStartedAt }. - Adds SBOM status utilities, icon, and processing card.
- Updates workload/app/job vulnerability summaries and lists to show SBOM state and polling while processing.
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/routes/team/[team]/[env]/job/[job]/vulnerabilities/query.gql |
Fetches SBOM status fields for job image vulnerability page. |
src/routes/team/[team]/[env]/job/[job]/vulnerabilities/+page.svelte |
Adds SBOM processing/no-SBOM/failed UI and polling for jobs. |
src/routes/team/[team]/[env]/app/[app]/vulnerabilities/query.gql |
Fetches SBOM status fields for app image vulnerability page. |
src/routes/team/[team]/[env]/app/[app]/vulnerabilities/+page.svelte |
Adds SBOM processing/no-SBOM/failed UI and polling for apps. |
src/routes/team/[team]/[env]/app/[app]/query.gql |
Adds image SBOM and vulnerability summary data to app query. |
src/routes/team/[team]/[env]/app/[app]/+page.svelte |
Adds vulnerability summary with SBOM icon to app sidebar. |
src/lib/utils/vulnerabilities.ts |
Adds SBOM status mapping and processing duration helpers. |
src/lib/utils/vulnerabilities.test.ts |
Adds tests for SBOM status and duration helpers. |
src/lib/domain/vulnerability/WorkloadVulnerabilitySummary.svelte |
Updates summary rendering for SBOM status states. |
src/lib/domain/vulnerability/WorkloadsWithVulnerabilities.svelte |
Reworks vulnerability workload list with SBOM icons and processing polling. |
src/lib/domain/vulnerability/VulnerabilityBadges.svelte |
Adjusts badge styling. |
src/lib/domain/vulnerability/SbomStatusIcon.svelte |
Adds reusable SBOM status icon component. |
src/lib/domain/vulnerability/SbomProcessingCard.svelte |
Adds reusable SBOM processing status card. |
src/lib/domain/vulnerability/ImageVulnerabilities.svelte |
Adds SBOM status fetching, alerts, and polling support. |
schema.graphql |
Updates generated schema with SBOM fields/status enum. |
package.json |
Adds a direct optional Rollup native package dependency. |
…ocessing UX
- Replace hasSBOM boolean with sbom { status, processingStartedAt } in all queries
- Add SBOMStatus-aware utils: sbomStatusDetails, formatProcessingDuration
- Add SbomStatusIcon component (healthy/processing/warning/no-sbom)
- Add SbomProcessingCard component with live elapsed timer
- WorkloadVulnerabilitySummary: show processing card, failed/no-sbom alerts
- WorkloadsWithVulnerabilities: replace table with List, add sbom status icon,
auto-refresh every 10s when any workload is PROCESSING
- ImageVulnerabilities: show processing/warning alert, auto-refresh every 20s
- App vulnerabilities page: show SbomStatusIcon in summary heading, poll on PROCESSING
- Job vulnerabilities page: same as app
- App sidebar: add vulnerability summary with SbomStatusIcon
- Depends on nais/api#439
UI default was ascending while query defaulted to DESC, causing a mismatch when selecting a vulnerability sort field for the first time.
…s null
When status is READY but vulnerabilitySummary is absent, hasVulnerabilityData
is false but imageStaleness.indicator is healthy, so no branch rendered.
Added {:else} fallback showing the temporary-unavailable info alert.
…UM row --ax-warning-600 does not exist in the design system. Use --ax-warning-500 as the dark-mode background and --ax-warning-400 for the hover state, consistent with the scale used elsewhere in the codebase.
Lockfile was out of sync with package.json after dependency updates, causing npm ci to fail in CI.
ybelMekk
force-pushed
the
feat/sbom-status
branch
from
b042883 to
9b15afe
Compare
… with generic resource types
…fetch The effect tracked the whole data object, so every NetworkOnly fetch while status remained PROCESSING would reset nextRefresh and recreate intervals. Deriving sbomStatus separately ensures the effect only re-runs on genuine status transitions.
The markup const shadowed the team slug prop from script, making the component harder to read. Also regenerate package-lock.json to fix npm ci failures in CI.
Previous lockfile was generated with node 25, causing npm ci to fail in CI which runs node 24 via mise.
These enum values were removed from the schema. APPLICATION_UPDATED has no direct replacement; JOB_UPDATED is also gone. Remove them from the filter group to fix svelte-check type errors.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
src/routes/team/[team]/activity-log/+page.svelte:53
groupedActivitiesis used to render the filter menu, butActivityLogActivityType.GENERIC_KUBERNETES_RESOURCE_UPDATED(added in the updated schema) isn’t included in any group. That makes the activity type impossible to select/deselect in the UI even though it exists inallActivities. Add the updated enum value to an appropriate group (likely “Kubernetes Resource”).
ActivityLogActivityType.JOB_RUN_DELETED,
ActivityLogActivityType.JOB_TRIGGERED
],
'Kubernetes Resource': [ActivityLogActivityType.GENERIC_KUBERNETES_RESOURCE_CREATED],
OpenSearch: [
… formatting Return null when sbomProcessingStartedAt is in the future to avoid misleading 'less than a minute' output on clock skew. Also fix Prettier formatting in job vulnerabilities page.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the deprecated
hasSBOM: Booleanfield with the newsbom { status, processingStartedAt }object across all vulnerability-related queries, and adds a full SBOM processing UX.Changes
New components
SbomStatusIcon— icon indicating SBOM health (healthy / processing / warning / no-sbom)SbomProcessingCard— card with live elapsed timer shown while SBOM is being processedUpdated components
WorkloadsWithVulnerabilities— replaces table with List, showsSbomStatusIconper row, auto-refreshes every 10s when any workload isPROCESSINGWorkloadVulnerabilitySummary— shows processing card and failed/no-sbom alertsImageVulnerabilities— shows processing/warning alert, auto-refreshes every 20s whilePROCESSINGVulnerabilityBadges— SBOM-status-aware badge displaySbomStatusIconin summary heading, polling onPROCESSINGSbomStatusIconUtilities
sbomStatusDetails— returns indicator, label, description for a givenSBOMStatusformatProcessingDuration— human-readable elapsed timeDependencies
ContainerImageSBOM.statusandContainerImageSBOM.processingStartedAt)