What does this MR do and why?

Adds a "Malware" filter token to the project vulnerability report's filtered search bar. This allows users to filter vulnerabilities by malware status (Yes/No)

This is behind the malicious_package_detection feature flag.

Note: The selected filter value is currently not passed to the GraphQL query, as the isMalware argument is not yet available on the backend. This MR only adds the frontend filter token UI. Once the backend argument is deployed (see #587759), a follow-up MR will wire up the filter to the query.

This is part of the Malicious Package Status Filters epic, enabling users to quickly isolate malicious package vulnerabilities from non-malware ones.

References

• Related issue: #587760
• Parent epic: &20573
• Backend dependency: #587759
• Design issue: #551225

Screenshots or screen recordings

How to set up and validate locally

1. Enable the feature flag: http://gdk.test:3000/rails/features/malicious_package_detection
2. Navigate to a project's vulnerability report at http://127.0.0.1:3000/<group>/<project>/-/security/vulnerability_report
3. Click the filter search bar — the "Malware" token should be available
4. Select "Malware" → "Yes" to filter for malware vulnerabilities
5. Select "Malware" → "No" to exclude malware vulnerabilities
6. Verify the URL updates with the isMalware query parameter
7. Verify that the token persists when refreshing the page
8. Disable the feature flag and confirm the token is no longer show.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #587760

@dpisek Good catch! I think we should stick with Malware across. I can update this design that shows a badge saying Malicious package . 🙇‍♀️ FYI @joelpatterson

are we certain that we want to customize it to Malware in <package name>?

It would mean that we would replace the vulnerabilities title, which is displayed by default. And the context should already show that we are dealing with a malicious package. Given that, we just wanted to double-check this requirement.

@dpisek @nilieskou @joelpatterson I wasn't the one who proposed replacing the vuln title with Malware in <package name>, but I have a question (not sure who for, but putting it out there): Does the "what kind of malware" context change the user's immediate action? If the answer is almost always "remove the package" regardless of malware type, then this generic title is fine — the detail page is where you learn more. But if a security engineer is triaging 15 malware findings and needs to prioritize, knowing "backdoor with C2 communication" vs. "typosquat with no known payload" matters, and the title is the first (sometimes only) thing they read in a list.

A middle ground could be to include both — e.g.: Malware in <package name>: <brief descriptor> — but that gets long and may get truncated to Malware in <package name> anyway, at least in the current Vuln Report view. Our vision designs are moving the UI away from columns so we will have more horizontal space for titles, and badges will show corresponding risk that supports the severity, e.g.:

I asked Claude to give me an example of a title of a malware vulnerability if we DON'T replace it with the Malware in <package name> , and the response suggests that either way, malware will be in the title, but that using Malware in <package name> is the way to go - as long as we provide add'l context elsewhere.

Looking at actual GLAD advisory titles, there are basically two patterns already in use:

Pattern 1 — Generic: Malware in simple-swizzle, Malware in strip-ansi

Pattern 2 — Descriptive: package-tester contains malware after npm account takeover, @browserbasehq/stagehand contains malware after npm account takeover

So if you don't replace the title, a user might see something like package-tester contains malware after npm account takeover — which actually tells you something useful (it was a supply chain attack via account takeover, not a typosquat or a rogue dependency).

But here's the thing: the descriptive titles aren't consistent. Some advisories just say Malware in <package> with no additional context in the title at all. So if you pass through the GLAD title as-is, you'd get a mix of both patterns in the vulnerability report, which looks messy and inconsistent.

That actually makes a stronger case for normalizing to Malware in <package name>. The descriptive context ("account takeover," "exfiltrates .env files," "typosquat") is genuinely valuable, but it's not reliably present in the title field across advisories. It lives more consistently in the description/body of the advisory.

So I'd land here: use Malware in <package name> as the title for consistency, but make sure the descriptive context from the advisory body surfaces somewhere accessible without a click — whether that's in the Evidence section, a subtitle in list view, or the description preview. That way you're not losing the "what kind" context; you're just moving it to a place where it can be reliably populated rather than depending on inconsistent upstream title formatting.

cc @marissa.henri @mclausen35

@charlieeekroon If I want to see the security posture across all of my Mission Critical projects, I would add the Business impact || Mission critical filter and then be happy to see that 0 vulnerabilities are open! However, I think what you're also saying here is that it's possible that the user created a Mission critical business impact filter, but didn't apply it to any projects. Is that correct?

If so, is there anyway we can show how many projects are included in that filter; something like this?

cc @lorenzvanherwaarden @acummins9 @mfangman @mclausen35

• Design: Are the designs referenced in gitlab#551225 still up-to-date, or has anything changed?

@dpisek The only things that may change from the proposals is we are currently working through a redesign of the vuln detail page (thread here: https://gitlab.com/gitlab-org/gitlab/-/work_items/592824#note_3164370452) and a redesign of the Vulnerability Report layout, but I would expect both of those to be out of scope for this effort. Everything else should be captured in the designs and annotations in that linked issue.

Please let me know if you have any questions as you go! I was OOO for 2 weeks but I'm back and ready to help where needed!

An Evidence section may also be added here, where applicable. This design is missing something that should say:

Evidence

Malicious package <package name>

Sorry I was OOO most of last week. Thanks for merging!

@lorenzvanherwaarden Agree that the link suffices! Per this:

The CWE title would still link to the vulnerability report filtered on that CWE, but instead of the description, we could add a link "Learn more" to https://cwe.mitre.org/data/definitions/<CWE-ID>.html

WDYT about this? + @rlehmann1

Note the external-link icon.

@svedova I need help interpreting the responses here. Does that mean we can provide more transparency towards the UX goal of this issue? If I'm reading this correctly, we can still separate out "Not available" into 2 separate messages that I proposed in #592665 (comment 3147880804)? Where "Unknown" and "Not available" are interchangeable terms; we can ask our TW for his suggestion here.

Pasting the UX goal of this issue below:

Users should see clear, descriptive messages that explain the reachability status of vulnerabilities, helping them understand:

• Whether reachability data is available
• Why it might not be available
• What they can do about it

Agree the wording can be improved to make this more clear. I'll defer to our word guru, @rlehmann1, as DRI here!