FEAT: Enhanced HTML view #25
Conversation
- Added packageManager tags - All sections can now be filtered - improved de-duplicated view of paths using graphviz See ticket SC-6251
kevinwright
force-pushed
the
feature/report-summary-and-filtering
branch
from
f00ce20 to
507ed5a
Compare
kevinwright
force-pushed
the
feature/report-summary-and-filtering
branch
from
507ed5a to
9758511
Compare
kevinwright
force-pushed
the
feature/report-summary-and-filtering
branch
from
6b222bd to
1789bdd
Compare
There was a problem hiding this comment.
Loads of inline questions, as I don't have a huge amount of context!
Also: the graph is interesting, but is quite a deviation from what was there before (and this is in use already at customers). Perhaps it should be opt-in, or there should be a toggle for graph or text-list visualisation of the vulnerable paths. This is particularly important for PDFs generated from the output as the graph doesn't wrap.
| @@ -0,0 +1,78 @@ | |||
|
|
|||
| // originally forked from https://github.com/reykjavikingur/node-handlebars-directory | |||
| // under the terms of the ISC licence: | |||
There was a problem hiding this comment.
was something changed in the copied code? Perhaps better to fork to the snyk organisation and make the change there (and contribute it back?)
There was a problem hiding this comment.
This is because it failed under node 4. I raised a ticket, but the author refused to consider Node 4 support as valuable
There was a problem hiding this comment.
Were their actual changes needed? If we're going to use this library I think its better to fork the repo (npm can pull in a dep directly from a github form)
| import {loadSource} from './loader'; | ||
|
|
||
| import Viz = require('viz.js'); | ||
| import { Module, render } from 'viz.js/full.render.js'; |
There was a problem hiding this comment.
inconsistent brace spacing (linting should've picked it up - perhaps the rules on the repo are out of date)
| @@ -0,0 +1,55 @@ | |||
| import Handlebars = require('handlebars'); | |||
| import {HandlebarsDirectory} from './handlebars-directory'; | |||
There was a problem hiding this comment.
what's the reason for introducing this (copied-and-pasted) dependency over the previous implementation?
There was a problem hiding this comment.
See above, see also build failures in travis
| {{> checkbox id="proof-of-concept" label="Proof of Concept"}} | ||
| {{> checkbox id="remediation" label="Remediation"}} | ||
| {{> checkbox id="disclosure-timeline" label="Disclosure Timeline"}} | ||
| {{> checkbox id="references" label="References"}} |
There was a problem hiding this comment.
Is this an exhaustive list of possible sections?
Similarly is the data subject to change? Should it be dynamic? (perhaps not sensibly possible with the data we to hand)
There was a problem hiding this comment.
Very possible, and definitely something I considered. Main issue is that it would almost certainly need to be client side and generated out of the DOM - given how much of this comes out of markdown. Non-trivial enough that I had to consider time constraints
| @@ -47,6 +54,21 @@ | |||
|
|
|||
| <div class="layout-stacked__content"> | |||
| <div class="layout-container--short" style="padding-top: 35px;"> | |||
| <div class="filter-box"> | |||
| <b>filter</b> | |||
| <hr/> | ||
| {{> checkbox id="severity--high" label="High Severity"}} | ||
| {{> checkbox id="severity--medium" label="Medium Severity"}} | ||
| {{> checkbox id="severity--low" label="Low Severity"}} |
There was a problem hiding this comment.
I believe "critical" and "info" severities are being introduced, similar to the previous comment – perhaps this should this be dynamic?
There was a problem hiding this comment.
Ultimately we'd want priorities to be listed (and ordered) in the underlying JSON, or they still need to be hardcoded SOMEWHERE. I already raised that for discussion elsewhere
| {{/each}} | ||
| </ul><!-- .list-paths --> | ||
|
|
||
| </div><!-- .card__section --> |
There was a problem hiding this comment.
Why have we removed all of this remediation advice?
| @@ -47,6 +54,21 @@ | |||
|
|
|||
| <div class="layout-stacked__content"> | |||
| <div class="layout-container--short" style="padding-top: 35px;"> | |||
| <div class="filter-box"> | |||
| <b>filter</b> | |||
| <hr/> | |||
There was a problem hiding this comment.
Hmm, also - this top list isn't really a list of filters, but rather a list of sections to display. Perhaps they should be labelled independently to the severity filters below.
There was a problem hiding this comment.
The original thinking was filtering of the output as a whole, not precious about terminology though. I'm open to alternativr terms
| @@ -47,6 +54,21 @@ | |||
|
|
|||
| <div class="layout-stacked__content"> | |||
| <div class="layout-container--short" style="padding-top: 35px;"> | |||
| <div class="filter-box"> | |||
There was a problem hiding this comment.
This should probably be excluded from printed output, I believe snyk-to-html is used to generate PDFs a fair amount
There was a problem hiding this comment.
Interesting... differing output for print is a new req though, and would demand a new param. Mixed feelings about doing that in the same PR
There was a problem hiding this comment.
After getting more info on the requirements these are issues we are trying to address:
- Users would like to see less info in this report
- It would be nice to filter license vs vuln
How users use this currently:
- users are likely generating this as PDF
- users are also using this in their build/test pipeline to generate test artefacts
Based on this we should make changes as following:
Filters:
- in order to not break users pdfs remove or exclude from print the Filters
- add ability to filter license vs issue
Smaller summary
- keep the current standard vuln card view, please either remove the graph or make it a toggle. Again this should not amend the PDF output to what users expect today
- Remediations are per path so we can't just show 1, each remediation should be shown under the path:
- Tags - the package manager tags are great but please use the current style and add them on on the left of the card like so:
| id: vuln.id, | ||
| title: vuln.title, | ||
| name: vuln.name, | ||
| info: vuln.info || 'No information available.', | ||
| severity: vuln.severity, | ||
| severityValue: severityMap[vuln.severity], | ||
| description: vuln.description || 'No description available.', | ||
| isLicense: (vuln.type === 'license'), |
There was a problem hiding this comment.
why do we have isLicense? type is already either license or vulnerability
| .then(svg => { | ||
| r.metadata.graph = svg; | ||
| }); | ||
| // r.metadata.graph = mkGraph(r.list); |
There was a problem hiding this comment.
please remove is this is unused
| @@ -275,6 +299,79 @@ | |||
| padding: 0.5em; | |||
| } | |||
|
|
|||
| .filter-box { | |||
There was a problem hiding this comment.
Assume these is just copy pasted from snyk-ui? maybe let's reference where it came from with a comment so it is easier to just override in the future
|
Closing as stale |
See ticket SC-6251