Add pagination and sorting to image single table

[dvail]

Description

Adds server side sorting and pagination to the image single page table.

Follow ups

• Add appropriate sorting for all fields on the BE is complete and documented in the collab doc

Checklist

• Investigated and inspected CI test results
• Unit test and regression tests added
• Evaluated and added CHANGELOG entry if required
• Determined and documented upgrade steps
• Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

If any of these don't apply, please comment below.

Testing Performed

Visit an image single page and verify that a single page worth's of data has loaded. The default sorting of the table should be by Severity, descending.

Use the pagination forward/back buttons to verify that pages of data are changed correctly.

Update the number of items per page and verify that the number of items is changed correctly.

Test that sorting by CVE, Severity, and CVE Status work correctly.

Verify that the CVEs by severity and CVEs by status cards have a total count matching that displayed at the top of the table.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[dvail]

Current dependencies on/for this PR:

• master
  • PR Add pagination and sorting to image single table #5258 👈

This comment was auto-generated by Graphite.

[roxbot]

Images are ready for the commit at c65b3a8.

To use with deploy scripts, first export MAIN_IMAGE_TAG=3.74.x-415-gc65b3a8cd0.

[dvail]

This is from a proof-of-concept of client side pagination. Since we are not using client-side pagination, we can get this data directly from the query.

[pedrottimark]

Is it possible to replace || with ?? nullish coalescing operator (what a name)

[pedrottimark]

Can you share this at next team meeting?

Map and Set remove a security concern about overwriting Object properties.

[dvail]

Sure and I can share the useSet hook since it might be of use in other places in the app.

What's the security concern you are talking about in this context?

[pedrottimark]

Whether possible (see below) or implausible, huge number of reported vulnerabilities are about possible object prototype pollution. Map and Set remove it as even a theoretical risk.

ljharb/qs#428

} else if (cleanRoot !== '__proto__') {
    obj[cleanRoot] = leaf;
}

[pedrottimark]

Reader observations, not necessarily change request:

1. Make names more parallel severitiesCriticalToLow here and the following in hook?

   export const imageVulnerabilityCounterKeys = ['low', 'moderate', 'important', 'critical'] as const;

2. Is the LowToCritical order ever used? At least some occurrences work either way, correct?

   • imageVulnerabilityCounterKeys.forEach(…)
   • severitiesCriticalToLow.forEach(…)

[dvail]

The idea here was to create a local variable that enforced the order specific to this component. I had thought about just making the default order in the hook CriticalToLow, but didn't want to have reliance on an order that is pretty much arbitrary in all other use cases.

[pedrottimark]

Can you write a short comment (maybe above at vulnCounterToSeverity object) about the uses of the two severity keys?

Or, dare I ask, are the classic 'LOW_VULNERABILITY_SEVERITY' keys used in any query payloads or responses? At least in this immediate context, the keys seem to be under frontend control:

• vulnerabilitySeverityLabels
• SeverityIcons

[dvail]

There are definitely a handful of different representations of severity, both in this section and others. We're still deciding on how we want to standardize this data in this feature, at least as it pertains to mapping server responses to display values, etc.

Currently the API will return the LOW_VULNERABILITY_SEVERITY style keys in responses, and the BE team recommends using the long form in query payloads (even though not strictly necessary today).

I could alias the low/moderate/etc fields in the graphql resolver to this verbose key, which might simplify some UI code. Do you think semantically the two are equivalent?

[dvail]

Also, related, I found that we removed the UNKNOWN_VULNERABILITY_SEVERITY value from the front end type a while back. It looks like this is a valid response anywhere we could expect a severity from the BE though, and I've had a couple of cases of this in testing.

Do you see any reason to not add this back in? Possibly a discussion for the team meeting too.

[pedrottimark]

That sounds familiar. Was me the we?

Almost certainly add it back, with discussion to remove any confusion within the team.

Can you search how much duplication of severity constants, icon, labels, and so on?

I have mixed feelings about pro and con:

• Possibly move classic Vulnerability Management imports from global scope into container folder.
• Encapsulate new 2.0 in its container folder with possibly duplication in case differences become needed.

[dvail]

There was some light discussion in this PR regarding UNKNOWN but I didn't see anything beyond that. I think adding it back will result in very few compile errors, which we can solve by adding empty strings in the worst case.

As for duplications:

It looks like the cve.proto.ts type VulnerabilitySeverity is referenced 24 times, mostly by other types/utils, which are then imported primarily (if not entirely) in VulnMgmt 1.0, Vuln Reporting 1.0, and Risk Acceptance.

We also have messages/common.ts with a const severityRatings that is used in Policies. This value uses the severity shorthand version. vulnSeverityLabels in the same file maps the long version to the shorthand, which I wouldn't really think is a problem but might be a good canonical value->display mapper.

severityColors.js has many different versions that map some severity to a color, I think mixing vuln severity with policy severity. It also contains a comment at the top // @TODO: Have one source of truth for severity colors from 4 years ago 😄

The new Workload CVEs intermixes the short style with the long style.

There are some .js files that use values like MODERATE_VULNERABILITY_SEVERITY and Moderate to refer to CVEs, but I'm less worried about those since they aren't typed and will either fall off with time, or become typed if they hang around.

There are also gql queries that reference resolvers like low, moderate, etc. that semantically seem like the same thing. We could alias those easily client side if we wanted, but we don't right now.

My general feeling is that "CVE Severity" is a concept that is used in enough places that it might be useful to keep it in a global types area. I'd be in favor of getting everything aligned with the current VulnerabilitySeverity since it is a direct mapping to the typed representation on the backend and would result in the least amount of moving code short-term. (Although too bad the API contract doesn't declare it, and we have to optimistically assume a string will be one of these values.)

---

Side note: Is types/node.proto.ts dead code? None of the types seem to be imported elsewhere. Transitively it looks like types/vulnerability.proto.ts might be dead code as well.

[pedrottimark]

Is pluralize is relevant for vulnerabilities in these template literals?

[pedrottimark]

Another good-sized step forward. Some comments to consider.

[openshift-ci]

@dvail: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/gke-postgres-ui-e2e-tests	c65b3a8	link	false	/test gke-postgres-ui-e2e-tests
ci/prow/gke-ui-e2e-tests	c65b3a8	link	false	/test gke-ui-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.