Skip to content

feat: Batch CVE selection flow and add missing assignment in the controller#3813

Draft
maciaszczykm wants to merge 13 commits into
masterfrom
marcin/prod-4594-batch-cve-selection-flow
Draft

feat: Batch CVE selection flow and add missing assignment in the controller#3813
maciaszczykm wants to merge 13 commits into
masterfrom
marcin/prod-4594-batch-cve-selection-flow

Conversation

@maciaszczykm

Copy link
Copy Markdown
Member

Test Plan

Test environment: https://console.your-env.onplural.sh/

Checklist

  • I have added a meaningful title and summary to convey the impact of this PR to a user.
  • If required, I have updated the Plural documentation accordingly.
  • I have added tests to cover my changes.
  • I have deployed the agent to a test environment and verified that it works as expected (required only when changing agent code).

Plural Flow: console

@linear

linear Bot commented Jul 8, 2026

Copy link
Copy Markdown

PROD-4594

@soffi-ai

soffi-ai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Soffi AI Summary

This PR introduces a batch CVE selection and bulk-fix workflow in the vulnerability management UI, and extends the AI chatbot with the ability to mention/reference specific vulnerabilities as context for agent-driven fixes.

Batch CVE selection flow: The vulnerability report details table now supports multi-row selection via a new checkbox column, allowing users to select multiple CVEs at once. A new VulnFixModal component replaces the old AgentRunFixButton, presenting a modal dialog that collects the selected vulnerabilities and initiates a bulk fix via the AI agent. The underlying GraphQL fragments (VulnerabilityReportTinyFragment, VulnerabilityReportFragment) were extended to include service.id, service.cluster.id, and vulnerability.vulnId — identifiers needed to scope the fix request correctly across services and clusters.

Vulnerability @mentions in AI chat: A new vulnerabilityMention autocomplete source and VulnerabilityChipTooltipLabel component allow users to @mention specific CVEs directly in the AI chat input. This reuses the existing mention/chip infrastructure (EditableSkillChipTooltip, MentionResults, PlrlChipMdRenderers, mentionTypes) and adds a regex-based identifier fallback for resolving mention targets. A missing assignment was patched in the controller to ensure vulnerability data flows correctly.

Supporting cleanup: The old inline vulnerability-prompt.ejs template was removed (logic consolidated into the modal/agent flow), the table component received minor fixes, and the ClusterUpgradeAgentButton was lightly refactored.

Commits

Commit Summary
9fd2e10 Fixed the shared Table component to correctly handle a minor rendering issue affecting the new selection column.
a1d29ed Added a checkbox selection column to the vulnerability report details table, enabling multi-row CVE selection.
8886332 Updated routing path for the vulnerability report details view.
980be53 Refactored the vulnerability details and report table components in preparation for the bulk-fix modal.
33e8f15 Implemented bulk CVE selection state management in the vulnerability report details table.
8dd3b90 Extended GraphQL queries and fragments to include service ID, cluster ID, and vulnId fields required for the batch fix flow.
a84ffe7 Started adding @mention support for vulnerabilities in the AI chat input autocomplete.
d7d7228 Fixed a missing assignment in the vulnerability reports controller to ensure data is correctly propagated.
9615579 Completed the vulnerability @mention feature, wiring up the autocomplete source, chip renderer, and tooltip label.
a859cea Added a regex-based fallback for resolving mention identifiers when an exact match is not found.
ddd1f88 Refactored mention type definitions and consolidated the VulnFixModal, removing the now-redundant AgentRunFixButton and vulnerability-prompt template.
58cad96 Added tooltips to vulnerability mention chips to surface CVE details inline in the chat composer.
3197f18 Applied review suggestions: minor cleanup across the modal, mention components, and table columns.

Deploy in Soffi


Updated: 2026-07-08 13:50 UTC

@maciaszczykm

Copy link
Copy Markdown
Member Author

@greptileai

@greptile-apps

greptile-apps Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR introduces a batch CVE selection and fix flow in the vulnerability report details view. Users can now enter a bulk-select mode, pick multiple vulnerabilities via checkboxes, and launch a single workbench job that receives a structured prompt containing serialized vulnerability mention chips for all selected CVEs. It also wires up the Vulnerability chip kind end-to-end in the AI chatbot (mention type, tooltip, markdown renderer) and backfills the vulnId field from Trivy through the Go controller, GraphQL fragments, and generated TypeScript types.

  • Bulk selection bar: a floating action bar appears in bulk-select mode showing the selected count and a "Fix vulnerabilities" button; the AgentRunFixButton popup is replaced by a proper VulnFixModal backed by workbench jobs.
  • Vulnerability chip support: MentionKind.Vulnerability is added with full attribute schema, tooltip rendering, and markdown chip component so selected CVEs become rich chips in the workbench prompt.
  • ColActions bug fix: flowIdOrName is now read from useParams in the reports table's action column, correcting navigation links when viewing reports inside a flow.

Confidence Score: 5/5

Safe to merge — changes are additive UI features with no data mutations outside the existing workbench job creation path.

All new code paths are well-guarded (null checks, empty-state handling, modal overlay preventing concurrent fix submissions), GraphQL types are generated correctly, and the Go controller change is a straightforward field population. The only notable gap is the WorkbenchSelector being momentarily interactive while its data is loading, which is a cosmetic UX edge case.

VulnFixModal.tsx — WorkbenchSelector isDisabled logic during loading.

Important Files Changed

Filename Overview
assets/design-system/src/components/table/Table.tsx Adds useEffect to reset fixedGridTemplateColumns when column count changes, enabling correct grid recalculation when the bulk-select checkbox column is added/removed.
assets/src/components/ai/agent-runs/AgentRunFixButton.tsx Deleted; styled components inlined into their only remaining consumer (ClusterUpgradeAgentButton.tsx) and VulnFixModal.tsx.
assets/src/components/security/vulnerabilities/VulnFixModal.tsx New modal for fixing one or more CVEs via a workbench job; replaces inline AgentRunFixButton; flow-aware workbench selection works correctly. Minor: WorkbenchSelector isDisabled condition allows opening an empty list during loading.
assets/src/components/security/vulnerabilities/VulnReportDetails.tsx Adds bulk-select mode with row selection state, floating selection bar, and VulnFixModal integration; memoized column array drives Table.tsx grid reset on mode toggle.
assets/src/components/security/vulnerabilities/VulnReportDetailsTableCols.tsx Adds ColVulnSelect with header/cell checkboxes; stopPropagation prevents accidental row expansion on checkbox click.
assets/src/components/security/vulnerabilities/VulnReportsTableCols.tsx Bug fix: ColActions now reads flowIdOrName from useParams and passes it to getVulnerabilityReportDetailsPath, correcting navigation links when viewing reports inside a flow context.
assets/src/components/security/vulnerabilities/vulnerabilityMention.ts New module: builds structured vulnerability chip mentions (XML-escaped attributes via lodash escape) and constructs the LLM fix prompt for single or batch CVEs.
assets/src/components/ai/chatbot/input/autocomplete/mentionTypes.ts Adds Vulnerability to MentionKind enum with full attribute schema (severity, vuln-id, service-ids, cluster-ids, etc.) and chipDisplayText formatter.
assets/src/components/ai/chatbot/input/autocomplete/EditableSkillChipTooltip.tsx Extends tooltip logic to support both Skill and Vulnerability chip kinds; uses hintKey to avoid unnecessary re-renders.
assets/src/components/ai/chatbot/input/autocomplete/PlrlChipMdRenderers.tsx Adds PlrlVulnerabilityChip renderer with optional tooltip and external link wrapping.
assets/src/components/ai/chatbot/input/autocomplete/VulnerabilityChipTooltipLabel.tsx New shared component for rendering CVE tooltip content with clamped title and description.
assets/src/components/cd/clusters/ClusterUpgradeAgentButton.tsx Inlines AgentRunFormPopupSC and PromptInputBoxSC locally now that AgentRunFixButton.tsx is deleted; no behavioural change.
assets/src/graph/vulnerabilities.graphql Adds vulnId to Vulnerability fragment; adds service.id and service.cluster.id to VulnerabilityReportTiny for building workbench mention attributes.
go/deployment-operator/internal/controller/vulnerabilityreports_controller.go Populates VulnID from trivy's VulnerabilityID field when persisting vulnerability attributes.

Reviews (2): Last reviewed commit: "apply review suggestions" | Re-trigger Greptile

Comment thread assets/src/components/security/vulnerabilities/VulnFixModal.tsx Outdated
@maciaszczykm

Copy link
Copy Markdown
Member Author

@greptileai

@maciaszczykm maciaszczykm added the enhancement New feature or request label Jul 8, 2026
@maciaszczykm maciaszczykm changed the title feat: Batch CVE selection flow feat: Batch CVE selection flow and add missing assignment in the controller Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant