 I was checking my clothes oh no it's recording now it's recording okay so the thing is because the interface is split just a reminder it's split between those two sections it's split between those two sections so I thought we go with two API endpoints it also has the benefit that we could ask use the summary endpoint to find out if we even need to do the other request you know because we have to somehow detect the empty state so what I just would do and I think the summary is not the most controversial it would just be asking for the summary of a group say I just named it security dashboard this is obviously I've already pasted the links this is obviously we can change it doesn't need to be named security dashboard but then it just returns an JSON object which has a total integer and then it's by severity and by type okay and yeah I mean if it would be in the public API it could be under the group you know that it maybe is like a group and then I don't know whatever so I don't want to bother with the name but I think the what we can send and what we receive is more important and this endpoint is sorry this endpoint is the borrowing one and I think it makes more sense to talk about the other one as I said the endpoint name here is a bit unclear I was thinking about a simple get request with query parameters but then I thought that maybe not the best idea maybe we should implement it as a post endpoint because once we add searching for vulnerabilities and they end up in server logs if you search for certain CVE's it might not be the best idea maybe we should put it in a post buddy because if there is some there is a new CVE and you see all the people searching in the public API and it turns up in logs may not be the best idea just yeah and then basically because of the because of the parameters we defined right here right now which with which we can filter it will be the type the severity the project and the confidence I mean at the moment we then just have to test as type but I think we should be future compatible so at the in the first iteration it will make no difference if you filter by type or not you could also rename it to report type I don't care these are the other ones and then obviously we have pagination and I think you can just reuse the normal pagination stuff we have it actually then adds headers and whatnot with all the pagination and as a result it would be a JSON array and a JSON array of objects so I just called them vulnerability from type vulnerability and a vulnerability will be basically the name the thing we display as the name the type again severity confidence whether the thing is dismissed or not then the body and maybe we didn't rename it buddy buddy would be the JSON blob we have in a database I don't know if there is a better name for it and then I would like to add a project object because in the front and we have no information about the project ID namespace web URL the vulnerability feedback well the issues well if you want to find issues and made a data is maybe good yes so I think these are all the things you store in a database of course if there are more fields just expose them here as well we may use them in the future and otherwise yeah so Olivier you added category or to be discussed in the front and back out we always call it report type or we can change the wording for the front end is not an issue but I mean it's it for the public API we should have standardized name yeah and actually I don't care about the names of the fields it's just like all the fields should be there and I mean that's the and probably the thing we would forget is that we need the project object with the because I looked again and the vulnerability feedback URL is based on the project so we should have a project object and have the ID in there and everything we need to link something what I just missed from this is basically if we have a go-to vulnerability link we I think we didn't define one yesterday in the call but if we would have something like jump to the vulnerability and it would jump into the security screen of the pipeline or wherever or in the first commit where it was introduced or wherever it jumps we would need that URL as well yes any questions any comments yeah you're missing a soul information about feedback because you want to know if it's dismissed so you have the bullion right but you need also to know who dismissed that which pipeline is it and eventually if it does a creation created issues what's the number of issues to generate the link or I don't remember if you just give you the link already so yeah I don't have all the properties in mind but you may look at the feedback that we already are fetching in the front-end yeah we are integrate integrating I think it's a dismissal sub-object in the current of an arbitrary object yeah that's that's good I didn't look at the API results so basically what we need we would need the result of the vulnerability feedback API also just in there yeah I'm not sure about the body property the goal was to provide a clean API to do this the poor seeing and the the motion and jason on the back-end side so it's three to three transparent for the front-end this means the problem is we need the body otherwise we can't display the model and because the model yeah I mean the information the information you have in the model would be provided as first citizen properties on the vulnerability objects so if you want to reuse the model with the current code you eventually would have to rebuild a small and the mutation in the mutation method you would have to do a small mapping but if you want to provide a clean API right now we have to get rid of this jason object because it will it may change between different version of the reports and we want to avoid to expose this different version we will normalize that on the back-end side and always provide you a common API on the front-end so do you think it will be feasible for the MVC because then we also have to write more front-end code to deal with your standardized things and it's already well standardized if you look at the the utils the GS file I already changed a lot of the code to make them really compatible with the the common report format we have which is the one is used by SAS so if you look at past SAS and past dependencies there is already backward compatibility stuff and so on that so I may be wrong but to me the only thing we have to do is eventually do a small mapping between the the property you will have in this linear reader object with the name that we are using in the in the store for the model but I mean you work now on SAS the problem is what I what I personally really don't like is if you have a flat list of flat objects and those objects are of different types I mean inheritance right so what I actually what I like more is if you have a type property and you if you ever have to do something differently because of the type or category or what's not I like to have all the properties that belong to the category in the sub-object it's just personal thing I understand that's exactly what we did in gymnasium actually to all the different kind of dependencies and we maybe could go that way and add the an extra property with some type specific properties but the thing is everything you want to display in a common way should be in the in the top level okay but because all the things in the model as far as I remember the front-end code correctly we basically just iterate over the object and show you every field we have a definition for basically and so yeah maybe it makes sense you know at some I don't know we could throw everything in your flat but there's always the there could be a problem with conflicts or something I don't know in the future and if you put it in the in the flat up if I in the top level from the end the API it means that we are able to normalize that on the on the back otherwise it has to be if it's I mean if it's the same property name but the value is totally different I don't know sometimes you just have a string and sometimes you have an object we won't do that in the same property it doesn't make sense so for such really like you know for for that you have instances which is a sub array that contain a sub-objects yeah and this is clearly only for that so we could have this conversation to decide whether we just put it on the on the top level and for type of the vulnerabilities that don't have it we just don't have the property or it's an empty array so you have a really common behavior for all kind of vulnerabilities or we can go for more type of objects so that you can have more type of front-end and link and we can also leverage a specificity to have specific components that will leverage those properties we already have those for some things and the question also is we yesterday talked about making the information public and in my opinion if someone wants to build something on the public API for them the raw data will be beneficial I mean it's okay to have like standardized things but I think we can all agree that those standardized things will always be less than all the other information we have right and so I don't know because everything else on the public API is probably defined I don't know how we would handle I mean no things that are not standardized or that could change and maybe that's the reason why I wanted to also to have it in a different field and I see a point but this is our goal to unify all those reports and provide a common API this is exactly what we are doing we're integrating different tools and we have to normalize the data to have a common one and the sorry I missed my idea sorry yeah yeah object that we currently have should be removed this is a temporary thing that we have that there's a road chosen into database but we want to get rid of that so in the end we won't have it even if we normally get when you say we are the view include me actually actually I'm not sure I agree with you we is like get lab banking back and maintainers and database maintainers okay I mean I like the intent but the thing is as we can say it's if you want to normalize everything it's gonna be less than the specific data we can get from one specific analyzer but oh yeah I wanted to go back to a previous point so all you get from what I understand you want to standardize the output right away and get rid of this body slash me that other field right from the beginning and yeah we are working okay you'll be writing the jason the great entities that we generate jason from Ruby class so yeah I just want to make sure that there's no extra cost in doing that because the the intent when suggesting this body or metadata field or column actually in the database was to make the transition easier since we already have all the code in the front end to love that that piece information automatically in the model without so yeah the intent was to to make sure that we wouldn't there would be no need to change the front end or at least at the beginning the thing is that we are doing that we will be doing that for artifact passing for major request and pipeline view we don't leverage the database but we want to have a backend person so if we do that we don't have any choice to just pass through the jason to the front end and see the front end is rewritten for those sections but today we are working on the group dashboard which is a brand new page well that's my point I was hoping that we would we use most of the code in the front end and not quite create right new code yeah we will but this is big this is just because of that that we don't want to rely on the jason on the road jason because if we just use the road jason right now we will have to rewrite to rewrite later the front end to use a normalized output I actually I don't want to rely on the I don't want to rely I mean we have to rewrite it anyway because at the moment we rely on it in the merge request and pull request and all the other pages right and those should be using the generalized things as well and I see that we have fields or values we can generalize but we also will have and always will have fields that are specific to each different type of scanning I mean I have dependency scanning and I have information in there which dependency or whatnot and that's maybe different from you know in Java apps from the class or yeah I mean that's also a good example if you have a code project that has JavaScript and has Java code it will have things like classes on the one hand and it will have other results that don't have classes so I don't know I mean in the in the new stuff we built here in the front end I just want to rely on the on the information the API has on a top level but for the for these models for example or for these for for yeah for these models for example I it's okay to rely on the JSON block we have and maybe you can later on you can also start normalizing the things we have in the JSON block right I don't know yeah that's my point yeah I want to to postpone that work okay that for me the idea is to rely on what we've got right now in the front end so if there's a way it doesn't have to be it doesn't have to be part of what's returned by this specific endpoint actually I'll talk about that later but yeah the idea was to reuse most of the existing code so if the data is the same I guess the front end code is the same the model and the JavaScript code is rely on but you have to understand that the model is not filled with raw JSON from the reports it's not working like that today what we do is that we are passing the raw report yeah already and normalizing data and then we feed it to the model and I worked on this front end part and I made things really close to what is the what is the common format right now so okay we can go this way but I mean it's will be a waste of time because we are really so close to the final results that it will be just few adjustments to map this vulnerability this new vulnerability object to what we need to feed to the model store but I mean could we just postpone this I mean why I mean all the rest is clear right so that's actually the one discussion point we have yeah just just one thing and maybe it's complementary to what just said oh what about returning the body of the raw data using a different endpoint so we would query that specific vulnerability and we would get the raw data will be really annoying I mean we don't do that right now so we have to write more code to for the query I it's fine because if you open the model you query for it but will mean more adjustments and maybe not MVC because at the moment yeah moment you don't have the you also don't have like an endpoint available where you have the artifact for specific vulnerability right would also mean that you have to build additional backend endpoint instead of just taking the JSON field in there yeah I mean sure but at the same time we would we would be able to say that this particular endpoint I mean the search endpoint and the list it returns is already stable yeah and then your the endpoint would be alpha or experimental I mean I would ask if you are you should agree with that because it's can you please I will give you the vulnerability object you all the field that we want at the top level and you could have a look at what we have in the model store and so that you can see what would be the work to adapt what you have in this new object to fill the model and if you say that it's too much work and you want to rely on the road is on we will find which way we are going to integrate the road isn't do you agree with that mmm yeah that sounds good I'm just you are expecting too much work to adapt the existing model to this new vulnerability object than to me is required but I may be wrong because every every property is just an array of data that we are looping out and if we have it we just don't have it we just keep it yeah so but the problem to me is I because we are talking about a clean API and I thought it may be more useful to put all that stuff in a different object because right now I'm looking right now I'm looking in the in the source code and we have subscription identifiers file class name method name namespace severity confidence solution links and instances these are the fields we show in the model and I think we show additional stuff if it's the mist this mist and everything and I don't know if we want to put all that stuff in the top level object to me this is a total different discussion okay even if we put them on top level or in a sub object if it's a specific properties yeah it will be the same work to map this to the existing model store it's just a matter of okay I want this property I just go find it in that sub object instead of this top level property so to me it's just a just a quick mapping it's really easy to work but if you want to discuss if we were if we have to put specific properties into a sub object I'm fine with that the issue is we didn't have done right now enough research on the other kind of reports so it's really clear to me what we are for SAS what we are for dependency scanning because we already work on which way that I we are there but we didn't do that work for container scanning and desk so it's not that complicated but it will require maybe one day or two to really focus on that task and decide whether or not we have too many specific properties and we want to put them into an extra sub object or if we want to aggregate everything to put everything on the flat on the flat object of the top level yeah I won't be able to to decide right now to me but based on what I've worked on by the other work I've done on the metadata to me we can have just flat objects but as you say it could be better sometime to have type of component in the front end and leverage just different things using an extra object or even for readability I don't know I don't see the need to push for flat objects like we're not sure it's just safer to put what's you know what depends on the category you know in the sub object so why not the thing is that at some point we may want to leverage well we'll see then yeah we could backboard it then yeah my question I still have a question regarding I see if we are still using a lot of things in a front end like creating a project fingerprint for example why is it named project fingerprint that's the question because I think it's used for the dismissal it's good to the project it's a fingerprint or the linearity within that particular project really because I just see the fingerprint is doing a char one in charge of the cde okay my question would be in this iteration we would still do the things in the front end no you I will be calculating those fields yeah cool well this will be a deprecated field that you will have in this object because for backboard compatibility with the dismiss and create issue feedback feature that it's really not very level and we will remove it at some point so we would have instead of this miss yes no we would have the that's the question dismiss Boolean maybe we can keep it I don't know is in that easier to just a feedback object and check on existence on this yeah it could depends I mean because you're not supposed to have feedback I mean it's not mandatory property yeah I mean then we just say string that optional there it would be an object actually the feedback the whole feedback is in the sub-object because you have to know if it's a feedback of type issue you will have the issue number and you will have the author and if it's a dismissed feedback you will just have the author and I think there's a pipeline to vulnerability feedback yeah okay so it will be the whole object yes it has a feedback type so it will be the feedback object okay so we just say feedback and it's an feedback object yeah and optional object or null or undefined you know yeah I don't I don't know I don't care you have to look how the back end does it if it's null or undefined yeah I don't know I don't know how we work in the API in general do we have yeah we set null values so probably it's better to put another value in there right yeah surprise that Olivier didn't mention GraphQL yet don't push me yeah you can mention it all you want we don't have the proper support on the front end yet so yes okay so type or category I can go with both I don't care the last suggestion we had was analysis that type because type is read to generate to generate yeah so analysis type is what we ended up with but today all the code is using category so what's what's report type because analysis analysis analysis yeah okay okay which is also confusing to me because we have multiple analyzers for sastre for example yeah that's what I like this and that analyzer achieve that type of analysis do we want to go with the boring way and just call it report because no one can pronounce analysis and also you saw it to report type is refined for me yeah I would say depending if it's in the mother or the mother yeah I recommend not to use analyze or analysis because it can be there are different ways depending on you know US versus yeah okay I also adjusted it in the top do we need anything more in the in the as the query parameters right now not right because we don't have more searches at the moment severity okay give it a string no problem we have been doing the mapping on the on the back end project 80 okay we don't have the identifier for this first situation right and I mean if we want to move those things into the body if you have like a post endpoint we still could use the page for I don't know I don't care where it is then if the page is a query parameter or in the body yeah I would check what we have already for the existing endpoints and what's a nice way to do it on the back end what do you get the project idea by the way it will be that's that's a good question so probably if we have the project filter we will need to use in the drop-down we need to use an existing project filtering thing I think we still already have that if I go in a merge request and I can filter by can I filter by project or something yeah but in this case we're at the group level so yeah it's but our but our like group drop down I don't know what do we have here we can go to groups git lab org maybe we have an issue board here or something and I think we already have front-end code for that so they're like a project you can't fit up a project select project to create see to create an issue yes oh yes you have to list here yeah yeah so and that that list will hopefully give us the project ID good should make sense yeah I hope we have a component for that other maybe we have to throw put that filter I mean it's good if we have to filter the API and if that drop-down takes too long we can maybe move it out of the MVC we still have to check that I'm going to write down that question I mean the nice thing the nice thing about the severity and confidence they will be fixed values right yeah they are fixed value but they are not always meaningful for both get for both properties yeah so if you want to static values there maybe we have to refine that because to currently to make it simple we have the same values for both filters but like I don't know ignore ignore level for confidence that makes sense for severity yeah I mean drop two drop-downs with five values I think I can handle that the other question would be with unknown do you have severity unknown or unknown basically an alias for Nile or undefined yeah good question because that's the problem because once you send starting query parameters with Nile or undefined in a query it gets ugly so I don't know in the database are you mapping unknown severity to a different part of the enum or is it just empty this fields are not mandatory so they are just mapped to new value if they are not provided okay the question would be should we be able to search for issues without those values and I don't know if it brings enough value for the users to to bring those features this is why we don't have those levels on the top level cards with the counters we don't have them there because it doesn't bring any value so we have it here unknown yeah we have unknown but we don't have ignore we don't have experimental which are you're so existing lovers okay so I'm not sure 100% sure of I mean we have this feature we basically have the feature of to search for how do we do it here I search for unassigned oh that's stupid I'm searching the whole instance maybe I say oh and they basically just send a null funny no unassigned yeah ID equals zero okay yeah I don't know if we if we need it in a drop-down that's maybe Philippe you have an opinion on that okay yeah so sorry I just checked the reports code and this is exactly that if the report tool doesn't either doesn't report the confidence or the severity it would just be an empty value so a new or new but should be able to search for it from the front end live that's about for at least for the MVC yeah I don't if we have some feedback that we can't charge for I mean okay if if I put myself in the shoes of a user I will want to tackle all the the highest severity and highest confidence issues first that's the point of using the dashboard so I won't go into really all the details right now okay not for the MVC I wrote it down yeah this is a really issue because under the hood we have some analyzers that doesn't provide the severity but it doesn't mean that those vulnerabilities aren't severe ones I mean that's I that's also yeah but the user can't judge can tell because we don't have that value so truthfully we can't solve that so let's just forget it okay so I think we can catch we should cut we have basically 15 days to do that so okay I wrote it down here I will so any open things you removed unknown from the yeah from the from the query list as a parameter and it will be nile or undefined right no you can have all the values there you will have critical eye medium low experimental unknown in your you have experimental experiment experiment is before known in terms of the value of this anyway this is something we didn't have time to discuss but we have issues last one is ignore ignore yeah because the tool knows for sure that this is a false positive so it flags it as ignore confidence okay okay okay something I don't get sorry but what why is it reported in the first place I mean in the tool knows that it's something to be probably also if the if you have like a separate ignore file for the tool right like the container scanning and you want to ignore it yourself it may be reporting it as ignore I don't know yeah but that's weird these are really not useful for severity this is what I was telling you that we are currently using the same set of values for both properties but some doesn't make sense so it's a technical way to it to make it easier but to me it doesn't make sense to provide those values at least it's not a big deal because here it just a list of possible values even if you don't have it it's not a big deal but for the filters it clearly don't make sense to have them for for severity anyway okay yeah whatever I mean if you have a different text value in there you may not get I just have to think about okay if I get ignore and I don't have a style for ignore like the red green whatever you will just have it in a box never be the word ignore so I have to have an else or default in the switch statement right yeah okay maybe some tools have some some kind of white listing or you know you can flag something a vulnerability as a false positive and in this case it will still report that so that it's going to be displayed in different right like we have this try through it's maybe yeah I mean it's okay if it's there I will display it or sample display it yeah okay feedback we have the feedback object this is still in discussion how we name that to me it won't be it will be necessary to have just an object and unless you really ask for it I wouldn't have it we could have an extra or metadata fields that will provide type specific properties if we want to go that route and it seems that this is what we want according to a recent discussion yeah so yeah they just call it data me that's not nice we were using extra in gymnasium I don't know if it suits you that I mean it's not like it's eating up too much it's too long it's no you will have a nightmare time by having short line in your code merge when pipeline succeeds it's too long man I don't know we have so long names in our API but it's it's not a final property it's an intermediary object so you'd have to write that a lot of time to access activities yeah okay I don't care okay and are we going with to get over the post route I mean you're the you're more you work longer in the security space do you think it's a concern that's legit or me so Fabien agrees we have approximately 10 minutes left there's the only concern that I have is the sake of scalability because I can see that being used later for the project dashboard as well so it should you know be the same objects that we will have in the project dashboard and the group level dashboard and the instance level dashboard just you know grouped by different levels so just want to make sure that we will be able to do that and an instance I'm not pretty sure because of the amount of the currencies that no it's not for 11.5 don't worry yeah I'm going to take vacation and you see what I mean we should be able to aggregate things as we're going up or in the yeah I mean I mean if we go one level up here you could also think add a thing like by group or something and additionally in that object at a group object or something I don't know really depends I mean once we see real life examples and real life groups we will know I have a better idea how to aggregate all the things on an instance level yeah for example my point is here you have all the you have the list of vulnerabilities from one to two etc and then you have a project object inside the vulnerability yeah so you will enter that differently at the group level and at the project level we can have the project ID always in the vulnerability or we can have a group per project for each project we have the list of no I mean we have to have a flat array otherwise you won't be able to sort filter it is like that easily okay if you want a different approach then it's a different endpoint and different structure okay get a post so up or downward who's for post maybe we should ask other people and on backhand side what's the best but according to the fact that we will have more and more filters I don't know at some point maybe I don't remember how much is the limit for get request but I don't think we will we will reach it back okay cool good I will write that down and we still have the to the side on the like on the full path yeah right but you will find out the path for the for the get it should be I think more about the rest style so about specifying the resource we are getting so maybe a more like vulnerabilities because I'm pretty sure we won't want to expose things like as occurrences even if there are occurrences I know that's it's not a well-appreciated word for user-facing so it will be like groups ID and then security slash vulnerabilities probably something like that agree but that's for that one right because that's the one and should we have the summary after this or security slash dashboard I think would be great because oh no yeah this is what we have for projects we have project ID by project namespace slash security slash dashboard so this would be okay I didn't it's good to me yeah I was about to suggest the exact same thing so obviously I agree okay so the only open thing is get those post and I'm just going to form it nicely and put it in the issue cool so that was that was super productive thank you everyone we found our and yeah we can get started on this yes the last comment any last objection so the thing would be are we going to create now that we have to spec are we going to create mock objects so that front-end can work the couple from the back end like I mean doesn't have to be big just like free free issues or something sounds like a good idea to me okay yeah I mean starting on Monday sample start working on that so yeah so I really need to dig into that really soon so provide the full vulnerability object I mean with all the top-level properties because it's missing some properties like I don't know solution or identifiers it seems like that yeah so I need to do that today or maybe tomorrow to ensure them is give you some some space and time to do that until Monday yeah I mean I mean I start tomorrow on the license management stuff so yeah until to have until Monday yeah can you just please add a note that this object is not the final structure yeah in the issue so that it's the to-do and being there so that I can remember it thank you yeah we'll do and I think we will have the same meeting Lucas if you agree on the license management on Monday with Gilbert yeah no no worries that sounds really necessary to make sure that we're all on the same page and this is really productive I'm not sure we will have to spend one hour like this because this one is really big subject compared to license management yeah 15 minutes it would be fine thank you yeah okay just send me a juburn invite and I'm going to write up a similar document then great thank you very much okay then have a nice day let's go thank you thank you very much bye bye