-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vulnerability messaging to package details page #8358
Conversation
7d3afb4
to
22e3b63
Compare
useAlso = true; | ||
} | ||
|
||
if (Model.IsPackageVulnerabilitiesEnabled && packageVersion.Vulnerabilities != null && packageVersion.Vulnerabilities.Any()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
packageVersion.Vulnerabilities != null && packageVersion.Vulnerabilities.Any() [](start = 85, length = 78)
This condition is repeated a couple of times. Can we move it to a shared location?
{ | ||
vulnerabilitiesTitle = useAlso ? "Also, " : ""; | ||
var severity = Enum.GetName(typeof(PackageVulnerabilitySeverity), packageVersion.MaxVulnerabilitySeverity).ToLowerInvariant(); | ||
vulnerabilitiesTitle += packageVersion.Version + " has at least one vulnerability with " + severity + " severity."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
packageVersion.Version + " has at least one vulnerability with " + severity + " severity."; [](start = 68, length = 91)
consider string.Format for readability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done--thanks. I wanted to do an interpolated string, but we're targeting a .NET version that doesn't support them in razor. string.Format is 👍 though.
@@ -753,15 +772,16 @@ | |||
</td> | |||
} | |||
} | |||
@if (Model.IsPackageDeprecationEnabled) | |||
|
|||
@if (Model.IsPackageDeprecationEnabled || Model.IsPackageVulnerabilitiesEnabled) | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a bunch of logic here and it's not testable because it's in the cshtml. Consider moving it to the ViewModel so you can add UTs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've taken a simpler approach here and called the column "Package Warnings"--I don't think we need to customize a hidden column header based on feature flags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, we have a code block here to obtain "iconTitle", and set up a warning icon with the associated title based on some checks. Maybe it's better that we add another property named "warningIconTitle" (and with another additional boolean property named "hasWarningIcon") in the view model, and when we create the view model in the factory, we can run these checks and set up this property. Then in the view, we can easily check this property to determine whether to show the icon and title for a specific version.
In this way, we can move the logic of this code block to the factory, and some tests can be added to cover these checks and messages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call--this is much more robust now.
ec2c439
to
d0c7212
Compare
d31453f
to
5be36a5
Compare
{ | ||
<th aria-hidden="true" abbr="Deprecation Information"></th> | ||
<th aria-hidden="true" abbr ="Package Warnings" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we still keep </th>
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made this consistent--thanks.
var expanderAttributes = ['data-toggle', 'data-target', 'aria-expanded', 'aria-controls', 'tabindex']; | ||
var vulnerabilitiesContainer = $('#show-vulnerabilities-content-container'); | ||
if ($('#vulnerabilities-content-container').children().length) { | ||
// If the deprecation information container has content, configure it as an expander. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "// If the vulnerabilities information container ..."
@@ -63,6 +63,50 @@ | |||
} | |||
} | |||
|
|||
.vulnerabilities-container { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's better that we share styles with the deprecation container? We can have a "warning-container" to define these shared styles, and it will be easier to maintain if we need more warning containers in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhhyu Looks like this change isn't practical--the js script that toggles chevron state uses the outer style name to identify the panel on which to rotate it when expanded. Messing with an outer style name has cascading effects. It could be feasible to change inner style names but this wouldn't achieve much as the names would then be duplicated in each outer style.
else | ||
{ | ||
viewModel.Vulnerabilities = new List<PackageVulnerability>(); | ||
viewModel.MaxVulnerabilitySeverity = PackageVulnerabilitySeverity.Low; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any considerations to have an empty list and a low "MaxVulnerabilitySeverity" if there are no vulnerabilities? I see that we check "Vulnerabilities.Any()" in the view. Maybe it's better that we just leave "Vulnerabilities" as null, and take a null check of "Vulnerabilities" when there are no vulnerabilities? Setting "MaxVulnerabilitySeverity" as low seems a little confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no consideration except that it defaults to low. Changing it now would be disruptive to the db and I'm not sure much would be gained. I have made the null change though.
@@ -5,22 +5,36 @@ $(function () { | |||
window.nuget.configureExpander("rename-content-container", "ChevronDown", null, "ChevronUp"); | |||
configureExpanderWithEnterKeydown($('#show-rename-content-container')); | |||
|
|||
// Configure the vulnerability information container |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe it's better to put this comment below the next line as "expanderAttributes" is also used for the deprecation container.
if (truncatedUrl.Length > 50) | ||
{ | ||
truncatedUrl = truncatedUrl.Substring(0, 47) + "..."; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we pick up the number 50 or 47? This may lead to the accessibility issue @ryuyu. How will a page reflow affect the appearance? Feel free to ignore this if we have already used the trick.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm removing this truncation. It will simply wrap if it needs to, and the table caters for that nicely now.
c5776ce
to
91f55fa
Compare
Note that I've also made calls to the deprecation and vulnerabilities services conditional on the respective feature flags (for perf and cleanness), so UTs needed updating to not verify calls against them that we no longer expect to happen. |
91f55fa
to
6975afc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6975afc
to
65b1ace
Compare
PackageDeprecation deprecation, | ||
PackageVulnerabilitySeverity? maxSeverity) | ||
{ | ||
// We want a tooltip title for the warning icon, which concatenates deprecation and vulnerability information cleanly |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: empty line
} | ||
|
||
viewModel.PackageWarningIconTitle = | ||
GetWarningIconTitle(viewModel.Version, deprecation, maxSeverity); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe it's more clear as: maxSeverity -> maxVulnerabilitySeverity
} | ||
@if (string.IsNullOrEmpty(packageVersion.PackageWarningIconTitle)) | ||
{ | ||
<td class="package-icon-cell" aria-hidden="true" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we still keep </td>
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure of the advantage of empty tags over self-closing ones. I've changed this to an empty tag for consistency, but it just seems like a waste of chars to me. Self-closing tags are neater IMHO.
[InlineData(false, true, "{0} has at least one vulnerability with {1} severity.")] | ||
[InlineData(true, true, "{0} is deprecated because it's legacy and no longer maintained; {0} has at least one vulnerability with {1} severity.")] | ||
public async Task ShowsCombinedDeprecationAndVulnerabilitiesIconTitle( | ||
bool isDeprecationEnabled, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great test!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! :)
Completes: #7650
Here we change the view to include a vulnerabilities panel for an affected package version.
Non-owner view, not expanded:
Owner view, expanded:
Vulnerability only:
Vulnerability + deprecation: