Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show package vulnerabilities in the Visual Studio Package Manager UI #11054

Merged
merged 4 commits into from
Nov 10, 2021
Merged

Show package vulnerabilities in the Visual Studio Package Manager UI #11054

merged 4 commits into from
Nov 10, 2021

Conversation

chrisraygill
Copy link
Contributor

Feature Summary

When a vulnerability in a NuGet package is discovered, surface an indicator of the vulnerability in the Package Manager UI to alert developers and help them take the appropriate action.

Problem

Vulnerabilities in packages can be leveraged by malicious actors to do harm to developers and their users. At the time of writing this, there are 113 NuGet advisories in the GitHub Advisory Database. While package vulnerabilities can be found on NuGet.org and with the dotnet list command, most developer interactions with NuGet occur in the Visual Studio package manager UI where no vulnerability information is currently available.

@chrisraygill chrisraygill requested a review from a team as a code owner July 20, 2021 17:02
nkolev92
nkolev92 approved these changes Jul 20, 2021
View reviewed changes
Copy link
Member

@nkolev92 nkolev92 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great.

Great job calling out the scope of this design. Made the proposal very easy to review.

@chrisraygill
Updated mockup
c544883 
Updated mockup to accommodate multiple vulnerabilities
@chrisraygill
Updated success criteria
40ff7bb
@jebriede jebriede mentioned this pull request Jul 26, 2021
Merged
skofman1
skofman1 reviewed Jul 27, 2021
View reviewed changes
proposed/2021/ShowVulnerabilitiesInThePMUI.md
- The warning sign on the Installed tab header will display the number of vulnerable and deprecated packages in the tooltip.
- The warning icon will appear for all levels of vulnerabilities – consistent with the behavior on NuGet.org.
- We will use the same warning sign for vulnerabilities as we do for deprecation to avoid the “lucky charms” effect where symbols get ignored because there are too many.
- The package details window will display a more detailed vulnerability message that includes the total count of advisories and the severities and links to the advisories.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: when there are multiple advisories, they should be ordered from high to low severity.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracked with this issue: #11091

@skofman1
Copy link
Contributor

skofman1 commented Aug 4, 2021

There's a discrepancy between how we show the list of versions in Install Tab between deprecated and vulnerable packages. For deprecated packages we show the word 'deprecated' near each deprecated version, and we don't show anything for vulnerable versions.
This discrepancy also happens between Search Tab and Install Tab. In Search tab we never show text near the version (for either deprecated or vulnerable versions). IMHO the text is helpful when choosing which version to take dependency on and we should show it in all 3 tabs.
image

//cc @chgill-MSFT , @anangaur , @jebriede

@chrisraygill
Copy link
Contributor Author

There's a discrepancy between how we show the list of versions in Install Tab between deprecated and vulnerable packages. For deprecated packages we show the word 'deprecated' near each deprecated version, and we don't show anything for vulnerable versions.
This discrepancy also happens between Search Tab and Install Tab. In Search tab we never show text near the version (for either deprecated or vulnerable versions). IMHO the text is helpful when choosing which version to take dependency on and we should show it in all 3 tabs.
image

//cc @chgill-MSFT , @anangaur , @jebriede

@skofman1 this is being tracked in these issues:

@JonDouglas
Copy link
Contributor

@chgill-MSFT Please feel free to merge this as this has been implemented & approval is there.

@chrisraygill chrisraygill merged commit 6f67ef0 into dev Nov 10, 2021
@chrisraygill chrisraygill deleted the chgill-Show-Vulnerabilities-In-PMUI branch November 10, 2021 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skofman1 skofman1 skofman1 left review comments

@drewgillies drewgillies drewgillies left review comments

@jebriede jebriede jebriede left review comments

@loic-sharma loic-sharma loic-sharma left review comments

@nkolev92 nkolev92 nkolev92 approved these changes

@anangaur anangaur Awaiting requested review from anangaur

@aortiz-msft aortiz-msft Awaiting requested review from aortiz-msft

@dominoFire dominoFire Awaiting requested review from dominoFire

@joelverhagen joelverhagen Awaiting requested review from joelverhagen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@chrisraygill @skofman1 @JonDouglas @loic-sharma @nkolev92 @jebriede @drewgillies