Add vulnerability messaging to package details page #8358
Conversation
drewgillies
requested review from
agr,
cristinamanum,
dannyjdev,
joelverhagen,
loic-sharma,
lyndaidaii,
ryuyu,
shishirx34,
skofman1,
xavierdecoster and
zhhyu
as code owners
drewgillies
changed the title
drewgillies
force-pushed
the
dg-vulnerabilitymessaging
branch
2 times, most recently
from
7d3afb4
to
22e3b63
Compare
| useAlso = true; | ||
| } | ||
|
|
||
| if (Model.IsPackageVulnerabilitiesEnabled && packageVersion.Vulnerabilities != null && packageVersion.Vulnerabilities.Any()) |
There was a problem hiding this comment.
packageVersion.Vulnerabilities != null && packageVersion.Vulnerabilities.Any() [](start = 85, length = 78)
This condition is repeated a couple of times. Can we move it to a shared location?
| { | ||
| vulnerabilitiesTitle = useAlso ? "Also, " : ""; | ||
| var severity = Enum.GetName(typeof(PackageVulnerabilitySeverity), packageVersion.MaxVulnerabilitySeverity).ToLowerInvariant(); | ||
| vulnerabilitiesTitle += packageVersion.Version + " has at least one vulnerability with " + severity + " severity."; |
There was a problem hiding this comment.
packageVersion.Version + " has at least one vulnerability with " + severity + " severity."; [](start = 68, length = 91)
consider string.Format for readability.
There was a problem hiding this comment.
Done--thanks. I wanted to do an interpolated string, but we're targeting a .NET version that doesn't support them in razor. string.Format is 👍 though.
| @@ -753,15 +772,16 @@ | |||
| </td> | |||
| } | |||
| } | |||
| @if (Model.IsPackageDeprecationEnabled) | |||
|
|
|||
| @if (Model.IsPackageDeprecationEnabled || Model.IsPackageVulnerabilitiesEnabled) | |||
| { | |||
There was a problem hiding this comment.
There's a bunch of logic here and it's not testable because it's in the cshtml. Consider moving it to the ViewModel so you can add UTs
There was a problem hiding this comment.
I've taken a simpler approach here and called the column "Package Warnings"--I don't think we need to customize a hidden column header based on feature flags.
There was a problem hiding this comment.
If I understand correctly, we have a code block here to obtain "iconTitle", and set up a warning icon with the associated title based on some checks. Maybe it's better that we add another property named "warningIconTitle" (and with another additional boolean property named "hasWarningIcon") in the view model, and when we create the view model in the factory, we can run these checks and set up this property. Then in the view, we can easily check this property to determine whether to show the icon and title for a specific version.
In this way, we can move the logic of this code block to the factory, and some tests can be added to cover these checks and messages.
There was a problem hiding this comment.
Good call--this is much more robust now.
drewgillies
force-pushed
the
dg-vulnerabilityservice-and-featureflags
branch
from
ec2c439
to
d0c7212
Compare
drewgillies
force-pushed
the
dg-vulnerabilitymessaging
branch
9 times, most recently
from
d31453f
to
5be36a5
Compare
| { | ||
| <th aria-hidden="true" abbr="Deprecation Information"></th> | ||
| <th aria-hidden="true" abbr ="Package Warnings" /> |
There was a problem hiding this comment.
Should we still keep </th> here?
There was a problem hiding this comment.
I've made this consistent--thanks.
| var expanderAttributes = ['data-toggle', 'data-target', 'aria-expanded', 'aria-controls', 'tabindex']; | ||
| var vulnerabilitiesContainer = $('#show-vulnerabilities-content-container'); | ||
| if ($('#vulnerabilities-content-container').children().length) { | ||
| // If the deprecation information container has content, configure it as an expander. |
There was a problem hiding this comment.
nit: "// If the vulnerabilities information container ..."
| @@ -63,6 +63,50 @@ | |||
| } | |||
| } | |||
|
|
|||
| .vulnerabilities-container { | |||
There was a problem hiding this comment.
Maybe it's better that we share styles with the deprecation container? We can have a "warning-container" to define these shared styles, and it will be easier to maintain if we need more warning containers in the future.
There was a problem hiding this comment.
@zhhyu Looks like this change isn't practical--the js script that toggles chevron state uses the outer style name to identify the panel on which to rotate it when expanded. Messing with an outer style name has cascading effects. It could be feasible to change inner style names but this wouldn't achieve much as the names would then be duplicated in each outer style.
| else | ||
| { | ||
| viewModel.Vulnerabilities = new List<PackageVulnerability>(); | ||
| viewModel.MaxVulnerabilitySeverity = PackageVulnerabilitySeverity.Low; |
There was a problem hiding this comment.
Are there any considerations to have an empty list and a low "MaxVulnerabilitySeverity" if there are no vulnerabilities? I see that we check "Vulnerabilities.Any()" in the view. Maybe it's better that we just leave "Vulnerabilities" as null, and take a null check of "Vulnerabilities" when there are no vulnerabilities? Setting "MaxVulnerabilitySeverity" as low seems a little confusing.
There was a problem hiding this comment.
There's no consideration except that it defaults to low. Changing it now would be disruptive to the db and I'm not sure much would be gained. I have made the null change though.
| @@ -5,22 +5,36 @@ $(function () { | |||
| window.nuget.configureExpander("rename-content-container", "ChevronDown", null, "ChevronUp"); | |||
| configureExpanderWithEnterKeydown($('#show-rename-content-container')); | |||
|
|
|||
| // Configure the vulnerability information container | |||
There was a problem hiding this comment.
nit: maybe it's better to put this comment below the next line as "expanderAttributes" is also used for the deprecation container.
| if (truncatedUrl.Length > 50) | ||
| { | ||
| truncatedUrl = truncatedUrl.Substring(0, 47) + "..."; | ||
| } |
There was a problem hiding this comment.
How do we pick up the number 50 or 47? This may lead to the accessibility issue @ryuyu. How will a page reflow affect the appearance? Feel free to ignore this if we have already used the trick.
There was a problem hiding this comment.
I'm removing this truncation. It will simply wrap if it needs to, and the table caters for that nicely now.
drewgillies
force-pushed
the
dg-vulnerabilitymessaging
branch
3 times, most recently
from
c5776ce
to
91f55fa
Compare
|
Note that I've also made calls to the deprecation and vulnerabilities services conditional on the respective feature flags (for perf and cleanness), so UTs needed updating to not verify calls against them that we no longer expect to happen. |
drewgillies
force-pushed
the
dg-vulnerabilitymessaging
branch
from
91f55fa
to
6975afc
Compare
drewgillies
force-pushed
the
dg-vulnerabilitymessaging
branch
from
6975afc
to
65b1ace
Compare
| PackageDeprecation deprecation, | ||
| PackageVulnerabilitySeverity? maxSeverity) | ||
| { | ||
| // We want a tooltip title for the warning icon, which concatenates deprecation and vulnerability information cleanly |
| } | ||
|
|
||
| viewModel.PackageWarningIconTitle = | ||
| GetWarningIconTitle(viewModel.Version, deprecation, maxSeverity); |
There was a problem hiding this comment.
nit: maybe it's more clear as: maxSeverity -> maxVulnerabilitySeverity
| } | ||
| @if (string.IsNullOrEmpty(packageVersion.PackageWarningIconTitle)) | ||
| { | ||
| <td class="package-icon-cell" aria-hidden="true" /> |
There was a problem hiding this comment.
Should we still keep </td> here?
There was a problem hiding this comment.
I'm not sure of the advantage of empty tags over self-closing ones. I've changed this to an empty tag for consistency, but it just seems like a waste of chars to me. Self-closing tags are neater IMHO.
| [InlineData(false, true, "{0} has at least one vulnerability with {1} severity.")] | ||
| [InlineData(true, true, "{0} is deprecated because it's legacy and no longer maintained; {0} has at least one vulnerability with {1} severity.")] | ||
| public async Task ShowsCombinedDeprecationAndVulnerabilitiesIconTitle( | ||
| bool isDeprecationEnabled, |
Completes: #7650
Here we change the view to include a vulnerabilities panel for an affected package version.
Non-owner view, not expanded:
Owner view, expanded:
Vulnerability only:
Vulnerability + deprecation:
