Make UI work

[pombredanne]

I cannot seem to be able to find anything except exact CVE ids using the web UI.
In particular, I cannot find packages. In contrast thing work find in the API.
I think we should either disable the UI entirely or make it work ASAP

[sbs2001]

@pombredanne re

I cannot find packages

The package name lookup is exact, that's causing this issue. Do we need to be able to lookup packages via their partial names ? In any case that would be a quick fix.

anything except exact CVE ids

partial CVE id lookup works too,

Eg,

Or

Could you elaborate the issue with CVE lookup ?

[pombredanne]

ok, so I was doing some import and may be there were not finished.
I found the UI where I cannot enter values for each Package URL field not intuitive
And the packages were found alright after all... BUT they are not visible until you scroll down, because there is a a big empty vertical space and I did not see any results upfront.
We need to work to make this more intuitive and simple.
IMHO only one search field needed for now, and no wasted space.
Some like this may be:

[pombredanne]

Could you elaborate the issue with CVE lookup ?

That works correctly, that's a mistake of mine.

[pombredanne]

I think we need to design this more. I do not like the 0 and 1 counts in the list ... rather than counts we should have links and real values displayed. Also there is a problem where in this case:

1. the versions are not sorted
2. pkg:pypi/lxml@4.2.1 is vulnerable to CVE-2020-27783 alright BUT it is patched by pkg:pypi/lxml@4.6.2 and this does still show up as a count of 0

Then:

Then pkg:pypi/lxml@4.6.2 shows up at the bottom:

[sbs2001]

@pombredanne re:

the versions are not sorted

That's a can of worms, we don't have a version range comparator. Add to that there's multi ecosystem packages. We could have sorted groups of packages. Each group would consist of packages of same ecoystem, and be sorted according to version.

[sbs2001]

@pombredanne re

pkg:pypi/lxml@4.2.1 is vulnerable to CVE-2020-27783 alright BUT it is patched by pkg:pypi/lxml@4.6.2 and this does still show up as a count of 0

The Patched Vulnerabilities is the count of the vulnerabilities to which the package is patched. pkg:pypi/lxml@4.2.1 is NOT patched to CVE-2020-27783, hence it is showing a count of 0.

On the other hand if you see the entry for pkg:pypi/lxml@4.6.2, it would have patched vulnerabilities = 1 .

Is this confusing ?

[sbs2001]

@pombredanne re package search

I was thinking of better design, for it. I think having a single search bar, where the package name could be entered and having checkbox filters to filter by type, namespace will do the trick.

The django admin view for the package search at #330 looks pretty close to what I am suggesting

[sbs2001]

The mentioned things are fixed for now. #344 tracks rest of the issues with the ui, hence closing this