Skip to content

ROX-32647: Add base image assessment card to Image Details page#18483

Merged
pedrottimark merged 23 commits intomasterfrom
ROX-32647-base-image-assessment-card
Jan 28, 2026
Merged

ROX-32647: Add base image assessment card to Image Details page#18483
pedrottimark merged 23 commits intomasterfrom
ROX-32647-base-image-assessment-card

Conversation

@sachaudh
Copy link
Contributor

@sachaudh sachaudh commented Jan 14, 2026
edited
Loading

Description

Adds an expandable "Base image assessment" card to the Vulnerabilities tab on the Image Details page. The card displays:

  • Image name: Link to the base image detail page
  • Image digest: With copy-to-clipboard functionality
  • Image age: Time since image creation (when available)

Supports multiple base images with dividers between entries. Card starts collapsed to reduce visual noise.

Gated behind ROX_BASE_IMAGE_DETECTION feature flag.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • new code has no unit tests yet (feature-flagged, tests can be added later)

How I validated my change

  • Verified TypeScript compiles and ESLint passes
  • Manually tested the component with mock data

Screenshots

Card collapsed

Screenshot 2026-01-13 at 6 05 09 PM

Card expanded (single base image)

Screenshot 2026-01-13 at 6 06 15 PM

Card expanded (multiple base images)

Screenshot 2026-01-13 at 6 06 02 PM

@openshift-ci
Copy link

openshift-ci bot commented Jan 14, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 14, 2026

Images are ready for the commit at 011e769.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-705-g011e769122.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 14, 2026
edited
Loading

Images are ready for the commit at f96cd86.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.10.x-898-gf96cd86e82.

@sachaudh
Copy link
Contributor Author

sachaudh commented Jan 14, 2026
edited
Loading

When fetching baseImageInfo, how should errors be surfaced? Currently, the UI silently falls back to an empty array (imageData?.baseImageInfo ?? []), so users won't know whether the issue is fetching base image data or the image simply has no base image info.

Should we:

  1. Rely on the parent query's error state?
  2. Expect a separate error field from the API?
  3. Accept that empty = "no data or error" is fine for this use case?

Tagging this for discussion once #18381 lands.

@sachaudh sachaudh marked this pull request as ready for review January 14, 2026 02:22
@sachaudh sachaudh requested a review from a team as a code owner January 14, 2026 02:22
@codecov
Copy link

codecov bot commented Jan 14, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.53846% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.38%. Comparing base (6b5d61d) to head (f96cd86).
⚠️ Report is 62 commits behind head on master.

Files with missing lines Patch % Lines
central/graphql/resolvers/images_v2.go 20.00% 4 Missing ⚠️
central/graphql/resolvers/images.go 92.68% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #18483      +/-   ##
==========================================
+ Coverage   49.23%   49.38%   +0.15%     
==========================================
  Files        2658     2659       +1     
  Lines      199650   200358     +708     
==========================================
+ Hits        98289    98941     +652     
- Misses      93938    93977      +39     
- Partials     7423     7440      +17
Flag Coverage Δ
go-unit-tests 49.38% <86.53%> (+0.15%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sachaudh
Copy link
Contributor Author

sachaudh commented Jan 14, 2026
edited
Loading

Another topic of discussion:

Is the expandable card approach the best way to display this data? When the list of base images grows (which it might?), the page gets very tall when the card is expanded. This pushes the vuln data down, requiring more scrolling. The page is already quite data-dense.

I was thinking a modal approach might be helpful for a case like this. It wouldn't affect the page layout, keeps vuln data visible, and better when we have more base images. The downside would be more clicking, and it could be overkill if we only have around 1-3 base images.

I'm not suggesting we do anything different at this stage, but I think this might be something to come back to and discuss a bit more to get it right.

cc: @mansursyed

@sachaudh
Copy link
Contributor Author

sachaudh commented Jan 14, 2026

@c-du @daynewlee @jvdm Added you all for awareness (no need to review). The question about errors might be something worth thinking about @c-du

@sachaudh
Copy link
Contributor Author

sachaudh commented Jan 14, 2026
edited
Loading

Added a couple more changes:

  • Enabled inBaseImageLayer field in the GraphQL fragment - the layer type column will now show accurate data
  • Removed the mock data from getBaseImages() and wired it to the real API

These were TODOs that were waiting on backend work, which is now available since we're branched off base-image-graphql.

@c-du c-du force-pushed the base-image-graphql branch from 4f72871 to 69b6bc0 Compare January 14, 2026 20:33
dvail
dvail approved these changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@dvail dvail left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from a code perspective.

Regarding the error handling, I think in this case 'Accept that empty = "no data or error" is fine for this use case?' is reasonable. If the parent request errors, it looks like the entire page results in an error state anyway. If there are situations where an error in base image detection occurs in the backend, but the graphql query completes successfully with a [] result, then I think a separate field for error detection makes sense.

Very much agree on the placement of the Card and vertical space concerns as well. I haven't tested, but I wouldn't be surprised if all vuln content was below the fold for laptop screens.

What about adding this information in a tab alongside "Vulnerabilities", "Resources", "Signature verification"? Possibly with a status badge for the number of detected base images. Is this information so important that it needs to be shown on the main tab, above the vulnerability info?

@sachaudh sachaudh force-pushed the ROX-32647-base-image-assessment-card branch from 1922ff8 to 9feed9e Compare January 20, 2026 01:01
@sachaudh sachaudh changed the base branch from base-image-graphql to cong/graphql-info January 20, 2026 01:01
c-du and others added 10 commits January 20, 2026 14:11
@c-du
Merge branch 'master' into cong/graphql-info
cfbcfd1
@c-du
fix
6eb5a44
@sachaudh
ROX-32647: Add base image assessment card to Image Details page
371803e 
Add an expandable card to the Vulnerabilities tab on the Image Details
page that displays detected base image information. The card shows:
- Base image name with link to base image detail page
- Truncated digest with copy button

The card is gated behind the ROX_BASE_IMAGE_DETECTION feature flag and
only renders when baseImageInfo has entries.

Age field is stubbed out pending backend addition of baseImageCreated
field to the BaseImageInfo GraphQL type.

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-32647: Improve base image assessment card styling and support mul…
27881fb 
…tiple images

- Move card to its own section with gray background for visual separation
- Support displaying multiple base images with dividers between them
- Show full digest instead of truncated version (consistent with SHA display)
- Update field labels to 'Image name', 'Image digest', 'Image age'
- Add baseImageCreated field support (commented out in GraphQL until backend ready)
- Fix horizontal alignment to match content below

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-32647: Simplify BaseImageAssessmentCard component
4446c36 
- Remove redundant empty array check (parent handles this)
- Default to collapsed state for less visual noise
- Remove unnecessary Flex wrapper around image link
- Use Fragment instead of StackItem for cleaner structure

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-32647: Enable inBaseImageLayer field and remove mock data
d054bf0 
- Add inBaseImageLayer to GraphQL fragment for accurate layer type display
- Replace hardcoded mock data in getBaseImages() with actual API call

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
test(ui): addressing comments
d6fbffe 
Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
fix(base-images): correctly unwrap nested response in addBaseImage
49ea8d6 
The backend returns CreateBaseImageReferenceResponse with baseImageReference
nested inside, but the service was typed to expect BaseImageReference directly.
This fixes the type annotation and response unwrapping to match the actual API
response shape.

Resolves: ROX-32571

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-32647: Update base image assessment to use new GraphQL resolver
33bd838 
The backend now exposes a consolidated `baseImage` resolver instead of
the raw `baseImageInfo` proto field. This change aligns the UI with the
new GraphQL schema which returns a single BaseImage object with an array
of names rather than an array of BaseImageInfo objects.

- Update GraphQL fragments to use `baseImage { imageSha, names, created }`
- Simplify BaseImageAssessmentCard to work with single object
- Use imageSha (digest) as the image ID for detail links

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-32647: Use LabelGroup for base image names
50be840 
Display image names as compact labels in a LabelGroup with overflow
handling. Shows 3 labels by default with expandable overflow for
additional names.

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh sachaudh force-pushed the ROX-32647-base-image-assessment-card branch from e800310 to 50be840 Compare January 21, 2026 18:55
Base automatically changed from cong/graphql-info to master January 27, 2026 21:20
@pedrottimark pedrottimark merged commit 7308213 into master Jan 28, 2026
94 checks passed
@pedrottimark pedrottimark deleted the ROX-32647-base-image-assessment-card branch January 28, 2026 00:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dvail dvail dvail approved these changes

@mansursyed mansursyed Awaiting requested review from mansursyed

@c-du c-du Awaiting requested review from c-du

@daynewlee daynewlee Awaiting requested review from daynewlee

@jvdm jvdm Awaiting requested review from jvdm

Assignees

No one assigned

Labels

ai-assisted area/central area/ui epic/base-image-detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sachaudh @rhacs-bot @dvail @pedrottimark @c-du