Merge branch 'dj-dependency-path-docs' into 'master'

Document dependency path and enable feature See merge request gitlab-org/gitlab!44001

Merge branch 'dj-dependency-path-docs' into 'master'
Document dependency path and enable feature See merge request gitlab-org/gitlab!44001
caf5255a · Heinrich Lee Yu · 70084dd3 · 1c828d05 · caf5255a · caf5255a
Commit caf5255a authored Nov 11, 2020 by Heinrich Lee Yu
6 changed files
--- a/doc/user/application_security/dependency_list/img/yarn_dependency_path_v13_6.png
+++ b/doc/user/application_security/dependency_list/img/yarn_dependency_path_v13_6.png
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -32,7 +32,7 @@ Dependencies are displayed with the following information:
 | --------- | ----------- |
 | Component | The dependency's name and version |
 | Packager  | The packager used to install the dependency |
-| Location  | A link to the packager-specific lock file in your project that declared the dependency |
+| Location  | A link to the packager-specific lock file in your project that declared the dependency. It also shows the [dependency path](#dependency-paths) to a top-level dependency, if any, and if supported. |
 | License   | Links to dependency's software licenses |

 Dependencies shown are initially sorted by the severity of their known vulnerabilities, if any. They
@@ -44,6 +44,18 @@ If a dependency has known vulnerabilities, you can view them by clicking the arr
 dependency's name or the badge that indicates how many known vulnerabilities exist. For each
 vulnerability, its severity and description then appears below it.

+### Dependency Paths
+
+The dependency list shows the path between a dependency and a top-level dependency it's connected
+to, if any. There are many possible paths connecting a transient dependency to top-level
+dependencies, but the UI only shows one of the shortest paths.
+
+![Dependency Path](img/yarn_dependency_path_v13_6.png)
+
+Dependency Paths are supported for the following package managers:
+
+- [NuGet](https://www.nuget.org/)
+
 ## Licenses

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10536) in GitLab Ultimate 12.3.

--- a/ee/app/controllers/projects/dependencies_controller.rb
+++ b/ee/app/controllers/projects/dependencies_controller.rb
@@ -5,7 +5,7 @@ module Projects
    before_action :authorize_read_dependency_list!

    before_action do
-      push_frontend_feature_flag(:path_to_vulnerable_dependency, project)
+      push_frontend_feature_flag(:path_to_vulnerable_dependency, project, default_enabled: true)
    end

    feature_category :dependency_scanning

--- a/ee/changelogs/unreleased/dj-dependency-path-docs.yml
+++ b/ee/changelogs/unreleased/dj-dependency-path-docs.yml
+---
+title: Enable dependency path in dependency list
+merge_request: 44001
+author:
+type: added
--- a/ee/config/feature_flags/development/path_to_vulnerable_dependency.yml
+++ b/ee/config/feature_flags/development/path_to_vulnerable_dependency.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/241739
 milestone: '13.4'
 type: development
 group: group::composition analysis
-default_enabled: false
+default_enabled: true
--- a/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
@@ -59,7 +59,7 @@ module Gitlab
                path:      file_path
              }

-              return base_location if Feature.disabled?(:path_to_vulnerable_dependency, project)
+              return base_location if Feature.disabled?(:path_to_vulnerable_dependency, project, default_enabled: true)
              return base_location unless dependency['iid']

              base_location.merge({