New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pagination and sorting to image single table #5258
Conversation
Skipping CI for Draft Pull Request. |
Current dependencies on/for this PR: This comment was auto-generated by Graphite. |
Images are ready for the commit at c65b3a8. To use with deploy scripts, first |
770f3b1
to
c6a3968
Compare
|
||
function severityCountsFromImageVulnerabilities( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is from a proof-of-concept of client side pagination. Since we are not using client-side pagination, we can get this data directly from the query.
|
||
const [activeTabKey, setActiveTabKey] = useURLStringUnion('cveStatus', cveStatusTabValues); | ||
|
||
let mainContent: ReactNode | null = null; | ||
|
||
const vulnerabilityData = data || previousData; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to replace ||
with ??
nullish coalescing operator (what a name)
const hiddenSeverities = new Set<VulnerabilitySeverity>([]); | ||
const hiddenStatuses = new Set<FixableStatus>([]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you share this at next team meeting?
Map and Set remove a security concern about overwriting Object properties.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure and I can share the useSet
hook since it might be of use in other places in the app.
What's the security concern you are talking about in this context?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whether possible (see below) or implausible, huge number of reported vulnerabilities are about possible object prototype pollution. Map and Set remove it as even a theoretical risk.
} else if (cleanRoot !== '__proto__') {
obj[cleanRoot] = leaf;
}
critical: 'CRITICAL_VULNERABILITY_SEVERITY', | ||
} as const; | ||
|
||
const severitiesCriticalToLow = ['critical', 'important', 'moderate', 'low'] as const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reader observations, not necessarily change request:
-
Make names more parallel
severitiesCriticalToLow
here and the following in hook?export const imageVulnerabilityCounterKeys = ['low', 'moderate', 'important', 'critical'] as const;
-
Is the LowToCritical order ever used? At least some occurrences work either way, correct?
imageVulnerabilityCounterKeys.forEach(…)
severitiesCriticalToLow.forEach(…)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea here was to create a local variable that enforced the order specific to this component. I had thought about just making the default order in the hook CriticalToLow, but didn't want to have reliance on an order that is pretty much arbitrary in all other use cases.
const hasNoResults = count === 0; | ||
const isHidden = hiddenSeverities.has(severity); | ||
const hasNoResults = count.total === 0; | ||
const vulnSeverity = vulnCounterToSeverity[severity]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you write a short comment (maybe above at vulnCounterToSeverity
object) about the uses of the two severity keys?
Or, dare I ask, are the classic 'LOW_VULNERABILITY_SEVERITY'
keys used in any query payloads or responses? At least in this immediate context, the keys seem to be under frontend control:
vulnerabilitySeverityLabels
SeverityIcons
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are definitely a handful of different representations of severity, both in this section and others. We're still deciding on how we want to standardize this data in this feature, at least as it pertains to mapping server responses to display values, etc.
Currently the API will return the LOW_VULNERABILITY_SEVERITY
style keys in responses, and the BE team recommends using the long form in query payloads (even though not strictly necessary today).
I could alias the low/moderate/etc
fields in the graphql resolver to this verbose key, which might simplify some UI code. Do you think semantically the two are equivalent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, related, I found that we removed the UNKNOWN_VULNERABILITY_SEVERITY
value from the front end type a while back. It looks like this is a valid response anywhere we could expect a severity from the BE though, and I've had a couple of cases of this in testing.
Do you see any reason to not add this back in? Possibly a discussion for the team meeting too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds familiar. Was me the we?
Almost certainly add it back, with discussion to remove any confusion within the team.
Can you search how much duplication of severity constants, icon, labels, and so on?
I have mixed feelings about pro and con:
- Possibly move classic Vulnerability Management imports from global scope into container folder.
- Encapsulate new 2.0 in its container folder with possibly duplication in case differences become needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was some light discussion in this PR regarding UNKNOWN
but I didn't see anything beyond that. I think adding it back will result in very few compile errors, which we can solve by adding empty strings in the worst case.
As for duplications:
It looks like the cve.proto.ts
type VulnerabilitySeverity
is referenced 24 times, mostly by other types/utils, which are then imported primarily (if not entirely) in VulnMgmt 1.0, Vuln Reporting 1.0, and Risk Acceptance.
We also have messages/common.ts
with a const severityRatings
that is used in Policies. This value uses the severity shorthand version. vulnSeverityLabels
in the same file maps the long version to the shorthand, which I wouldn't really think is a problem but might be a good canonical value->display mapper.
severityColors.js
has many different versions that map some severity to a color, I think mixing vuln severity with policy severity. It also contains a comment at the top // @TODO: Have one source of truth for severity colors
from 4 years ago 😄
The new Workload CVEs intermixes the short style with the long style.
There are some .js files that use values like MODERATE_VULNERABILITY_SEVERITY
and Moderate
to refer to CVEs, but I'm less worried about those since they aren't typed and will either fall off with time, or become typed if they hang around.
There are also gql queries that reference resolvers like low
, moderate
, etc. that semantically seem like the same thing. We could alias those easily client side if we wanted, but we don't right now.
My general feeling is that "CVE Severity" is a concept that is used in enough places that it might be useful to keep it in a global types
area. I'd be in favor of getting everything aligned with the current VulnerabilitySeverity
since it is a direct mapping to the typed representation on the backend and would result in the least amount of moving code short-term. (Although too bad the API contract doesn't declare it, and we have to optimistically assume a string
will be one of these values.)
Side note: Is types/node.proto.ts
dead code? None of the types seem to be imported elsewhere. Transitively it looks like types/vulnerability.proto.ts
might be dead code as well.
imageVulnerabilityCounterKeys.forEach((key) => { | ||
count += counts[key].fixable; | ||
}); | ||
return `${count} vulnerabilities with available fixes`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is pluralize
is relevant for vulnerabilities in these template literals?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another good-sized step forward. Some comments to consider.
c6a3968
to
c65b3a8
Compare
@dvail: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description
Adds server side sorting and pagination to the image single page table.
Follow ups
Checklist
If any of these don't apply, please comment below.
Testing Performed
Visit an image single page and verify that a single page worth's of data has loaded. The default sorting of the table should be by Severity, descending.
Use the pagination forward/back buttons to verify that pages of data are changed correctly.
Update the number of items per page and verify that the number of items is changed correctly.
Test that sorting by CVE, Severity, and CVE Status work correctly.
Verify that the CVEs by severity and CVEs by status cards have a total count matching that displayed at the top of the table.