-
-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Front-End for GitHub PR Generation #1134
base: file-github-pr-resolver
Are you sure you want to change the base?
Changes from 3 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
mutation CreateGitHubPullRequestForVuln( | ||
$project_id: uuid!, | ||
$vulnerability_id: uuid!, | ||
$old_package_slug: String!, | ||
$new_package_slug: String!, | ||
$package_manifest_path: String! | ||
) { | ||
createPullRequestForVulnerability( | ||
project_id: $project_id, | ||
vulnerability_id: $vulnerability_id, | ||
old_package_slug: $old_package_slug, | ||
new_package_slug: $new_package_slug, | ||
package_manifest_path: $package_manifest_path | ||
) { | ||
success | ||
pullRequestUrl | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,10 +16,11 @@ import React, { useState } from 'react'; | |
import { Card, Dropdown, FloatingLabel, Form, FormControl, Spinner } from 'react-bootstrap'; | ||
import { BsThreeDotsVertical } from 'react-icons/bs'; | ||
import { useParams } from 'react-router-dom'; | ||
import semver from 'semver'; | ||
|
||
import api from '../../../../../../api'; | ||
import { ConfirmationDailog } from '../../../../../../components/ConfirmationDialog'; | ||
import {BuildDetailInfo, QuickViewProps} from '../../../types'; | ||
import { BuildDetailInfo, QuickViewProps } from '../../../types'; | ||
import { VulnerablePackage } from '../types'; | ||
|
||
import { PackageCardBody } from './PackageCardBody'; | ||
|
@@ -42,6 +43,8 @@ export const VulnerablePackageMain: React.FunctionComponent<VulnerablePackageMai | |
}) => { | ||
const [showConfirmation, setShowConfirmation] = useState(false); | ||
const [insertVulnIgnore, insertVulnIgnoreState] = api.useInsertIgnoredVulnerabilitiesMutation(); | ||
const [createGitHubPullRequestForVuln] = api.useCreateGitHubPullRequestForVulnMutation(); | ||
|
||
const [ignoreNote, setIgnoreNote] = useState(''); | ||
const { project_id } = useParams(); | ||
const [shouldFilterFindingsBySeverity, setShouldFilterFindingsBySeverity] = useState(true); | ||
|
@@ -65,6 +68,8 @@ export const VulnerablePackageMain: React.FunctionComponent<VulnerablePackageMai | |
|
||
const allFindingsIgnored = findings.every((f) => f.ignored); | ||
|
||
const recommendedVersion = semver.rsort([...pkg.fix_versions])[0]; | ||
|
||
const bulkIgnoreVulns = async () => { | ||
if (!project_id) { | ||
throw new Error('attempted to ignore a vuln but no project id is in the url'); | ||
|
@@ -82,7 +87,7 @@ export const VulnerablePackageMain: React.FunctionComponent<VulnerablePackageMai | |
// eslint-disable-next-line react/display-name | ||
const customMenuToggle = React.forwardRef< | ||
HTMLAnchorElement, | ||
{ onClick: (e: React.MouseEvent<HTMLAnchorElement>) => void,children:React.ReactNode } | ||
{ onClick: (e: React.MouseEvent<HTMLAnchorElement>) => void; children: React.ReactNode } | ||
>(({ children, onClick }, ref) => ( | ||
<a | ||
className="text-end position-absolute top-0 end-0 m-3 btn-white" | ||
|
@@ -113,11 +118,25 @@ export const VulnerablePackageMain: React.FunctionComponent<VulnerablePackageMai | |
); | ||
}; | ||
|
||
async function onClickUpdate(pkg: VulnerablePackage) { | ||
const response = await createGitHubPullRequestForVuln({ | ||
project_id: build.project_id, | ||
vulnerability_id: pkg.affected_by[0].vulnerability.id, | ||
old_package_slug: `${pkg.release.package.name}@${pkg.release.version}`, | ||
new_package_slug: `${pkg.release.package.name}@^${recommendedVersion}`, | ||
// TODO: Add support for multiple paths... | ||
package_manifest_path: pkg.paths[0], | ||
}); | ||
|
||
// TODO: Make this actually put some HTML on the page. | ||
console.log('pr response:', response); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we should probably finish this feature before merging to master. It would be nice to keep master in a deployable state at all times (not that we succeed, lol) |
||
} | ||
|
||
return ( | ||
<> | ||
<Card className="vulnpkg-card"> | ||
{renderIgnoreUi()} | ||
<VulnerablePackageCardHeader pkg={pkg} ignored={allFindingsIgnored} /> | ||
<VulnerablePackageCardHeader pkg={pkg} ignored={allFindingsIgnored} onClickUpdate={onClickUpdate} /> | ||
<PackageCardBody | ||
findingsHiddenBySeverityCount={findingsHiddenBySeverityCount} | ||
pkg={pkg} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel that this should almost certainly take an array of changes. Clicking this button 5 times and filing 5 PRs for a single build is just not usable, there's no reason to write it in an incomplete way as an MVP since that's missing the "viable" part, IMO. It's nice to have the option to do it both one at a time, or for everything. It's not like that will be significantly more difficult. That's a pretty easy change, from what I've seen so far. There are all the components for that in the frontend kicking around still, I think, since that's how I had it written before.
Also, the "recommended version" is, I don't think, necessarily what we want to update to. That is just the highest fix version as you have it, which is not necessarily the fix version that is the target for the update.
Take a look at the backend code that calculates what the potential patch version is and you'll see it returns the target updatable version to the frontend.
const triviallyUpdatableTo = precomputeVulnTriviallyUpdatableTo(node.range, vulnMeta);
This is what you should be targetting as an update version. So you already have what you need, you can just use that value.
I think, very soon, we will want to change your backend implementation to use its own copy of the tree to make decisions, rather than just passing the data through the frontend. To build the "deep update" feature that I have mentioned several times, we need to be tree-aware anyway. But, for now, You should be able to get away with using the value that I'm passing here
trivially_updatable_to
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nevermind on that last tree part, but still yes on everything else. We can add the "parent update" logic to the backend as well and just pass that alongside the "trivially_updatable_to" that we are already passing here.