Transitive packages and vulnerability indicators in Solution PM UI #6044
Conversation
…t and installed tab vulnerability warning (#5994) First step to show transitive packages in Solution PM UI and show vulnerability warnings in Solution PM UI Installed Tab
…level (#5998) * Get all the installed packages metadata in the Solution level
… details pane for top-level packages (#6010) * Vulnerability indicators for top level in solution
…#6034) * Show transitive's data in Details Pane
…ransitive in the solution (#6040)
#6043) * Update vulnerability warning tooltips
martinrrm
force-pushed
the
feature-TransitivePkgsInSolutionPMUI
branch
from
8cb61fa to
85f658a
Compare
martinrrm
changed the title
| @@ -9,16 +9,20 @@ | |||
|
|
|||
| namespace NuGet.PackageManagement.UI | |||
| { | |||
| public class DownloadCountToVisibilityConverter : IValueConverter | |||
| public class IsGreaterThanToVisibilityConverter : IValueConverter | |||
There was a problem hiding this comment.
For some reason, I am having a hard time understanding the name of the class :) If my understanding is correct, the visibility of some control in the UI is dependent on the count. If the count is greater than the some threshold the control will be enabled. Is that correct? Maybe we can try VS Copilot's smart rename feature.
There was a problem hiding this comment.
You are correct, @kartheekp-ms. The Converter checks if the value is greater than a threshold to determine visibility. Perhaps GreaterThanThresholdToVisibilityConverter would be a better name? Thoughts?
There was a problem hiding this comment.
Great to see this being added, nice work!
I'd like to see some accessibility testing to ensure we're not introducing a11y bugs for the new UI elements (https://github.com/NuGet/NuGet.Client/blob/dev/docs/ui-guidelines.md#accessibility-testing).
My main UI behavior concern is whether the calculations for columns and scrolling works well at different resolutions.
More unit tests to cover more of the package feeds and Services logic changes would be good as well.
| <TextBlock | ||
| VerticalAlignment="Bottom" | ||
| Text="{Binding InstalledVersion, Converter={StaticResource VersionToStringConverter}}" /> | ||
| <imaging:CrispImage |
There was a problem hiding this comment.
Could the warning icon be put before the installed version? This would reduce visual clutter by aligning the icons. Also, it's more consistent with the positioning in the packages list (warning icon on the left of installed version).
rough mockup (left is from this PR, right is my suggestion):
There was a problem hiding this comment.
When I presented this to the UX board the warning icons where on the left* side, but their suggestion was to move to the right* side so it matches the Installed tab warning icon at the top
There was a problem hiding this comment.
@martinrrm do you mean vice versa? The icons are currently on the right side and I believe when you presented this initially you had them on the left and the advice was to put the warning icons on the right side. Please correct me if I'm wrong.
There was a problem hiding this comment.
Mb, I corrected the message, but yeah they suggested to change it so both installed "headers" have the icon at the same place, and have them mixed (rows with icon to the left and header to the right) would look weird
There was a problem hiding this comment.
Ok, in that case, the Installed tab could also have probably been changed. We still have 2 different approaches, again, the packages list shows on the left.
There was a problem hiding this comment.
Thanks Donnie, that a great suggestion, we have been getting UX approval for specific features and not considering the PM UI consistency. We should probably get back to the UX board and look at the whole PM UI. During my last UX meeting we discussed a lot of opportunities we could do improve the PM UI experience, I'll send a link to the meeting recording.
There was a problem hiding this comment.
Look forward to seeing that! In the meantime, if this is "ok" with UX board, then I think it could be easily changed later and not be too jarring to customers.
There was a problem hiding this comment.
Not for this PR, but could it make sense to move the vulnerability information to a column of its own? This would help align the icons and we could also add additional icons to denote the max severity of the vulnerabilities.
✅ - No Vul
🔴 - Critical
❔ - Unkown
...ients/NuGet.PackageManagement.VisualStudio/PackageFeeds/InstalledAndTransitivePackageFeed.cs
Show resolved
Hide resolved
| // Returns latest transitive package version | ||
| e => Assert.Equal(new PackageIdentity("transitivePackageC", new NuGetVersion("0.0.2")), e.Identity)); | ||
| e => Assert.Equal(new PackageIdentity("transitivePackageC", new NuGetVersion("0.0.2")), e.Identity), | ||
| // Returns all the transtive packages that are not the latest verion |
There was a problem hiding this comment.
Could the comment be expanded to explain why this assertion is made?
| // Returns all the transtive packages that are not the latest verion | |
| // Returns all the transitive packages that are not the latest version because..... |
There was a problem hiding this comment.
So this PackageCollection is sorted, first we display the Installed Packages and then the TransitivePackages, and in each "group" they are sorted by latest.
In this test I'm trying to test that they are sorted as expected
There was a problem hiding this comment.
If they are sorted, why is transitivePackageC 0.0.2 asserted before version 0.0.1 ?
Are you planning to fix the typos I suggested?
| set | ||
| { | ||
| _vulnerableVersions = value; | ||
| OnPropertyChanged(nameof(VulnerableVersions)); |
There was a problem hiding this comment.
Is this necessary? I don't see where the entire dictionary is being replaced, so I don't think it's being used.
There was a problem hiding this comment.
Good point. I think we can delete the Setter altogether since the Dictionary is instantiated and only added to and this setter is never used. Then, the private _vulnerableVersions can be readonly.
There was a problem hiding this comment.
@donnie-msft I addressed this now in the latest commit. I moved the OnPropertyChanged to a place where we add items to the VulnerableVersions dictionary, and also added an OnPropertyChanged for the VulnerableVersionsString which was previously missing. I removed the setter here because it was not being used. Thank you!
| { | ||
| versionOverride = versionOverrides[0]; | ||
| } | ||
| existingListItem.UpdateInstalledPackagesVulnerabilities(new PackageIdentity(packageId, packageVersion)); |
There was a problem hiding this comment.
@martinrrm Am I remembering correctly that we changed this to accept metadataContextInfo.Identity rather than instantiate a new PackageIdentity? I'm wondering how this made its way back here.
There was a problem hiding this comment.
I fixed this in the latest commit.
| @@ -181,18 +211,20 @@ private async Task UpdateInstalledVersionsAsync(CancellationToken cancellationTo | |||
| /// This method is called from several methods that are called from properties and LINQ queries | |||
| /// It is likely not called more than once in an action. | |||
| /// </summary> | |||
| private async Task<IPackageReferenceContextInfo> GetInstalledPackageAsync( | |||
| private async Task<(IPackageReferenceContextInfo TopLevelPackage, IPackageReferenceContextInfo TransitivePackage)> GetInstalledAndTransitivePackagesAsync( | |||
There was a problem hiding this comment.
Trying to make sure I'm understanding things here, this is returning the package information for a project and a specific packageId?
Is it possible for a single packageId to be both a toplevel and transitive package for a project? If not then I think this should be renamed to GetInstalledOrTransitivePackageAsync.
private async Task<(IPackageReferenceContextInfo Package, bool IsTransitive)> GetPackageContextAsync
There was a problem hiding this comment.
@jgonz120 It's not possible for a package to be both top-level and transitive in a single project. It's only possible for a package to be top-level and transitive in a across the solution, i.e. top-level in one project, transitive in another.
@martinrrm I think the suggested rename is a good idea because it looks like we're getting package information for a project/package combo. Could you confirm this is what we're doing and what you think of the proposed rename?
There was a problem hiding this comment.
I put this private async Task<(IPackageReferenceContextInfo Package, bool IsTransitive)> GetPackageContextAsync and didn't explain it.
If only one package will ever be returned we can simplify the return with a bool to indicate if the package found is transitive or top level.
There was a problem hiding this comment.
Or even private async Task<(IPackageReferenceContextInfo Package, PackageLevel PackageLevel)> GetPackageContextAsync
src/NuGet.Clients/NuGet.PackageManagement.UI/ViewModels/PackageItemViewModel.cs
Show resolved
Hide resolved
src/NuGet.Clients/NuGet.PackageManagement.UI/ViewModels/PackageItemViewModel.cs
Show resolved
Hide resolved
| IEnumerable<PackageCollectionItem> transitivePkgsWithOrigins = GetTransitivePackagesWithOrigins(_transitivePackages); | ||
|
|
||
| // Get the metadata for the latest version of the installed packages and transitive packages | ||
| IEnumerable<PackageCollectionItem> installedPackagesLatest = GetLatestPackages(_installedPackages); |
There was a problem hiding this comment.
Nit: can this be updated to match the other variable name? latestInstalledPackages
…mprove localization of table headers (#6051)
| { | ||
| return Visibility.Visible; | ||
| long intValue = System.Convert.ToInt64(value, culture); |
There was a problem hiding this comment.
Convert.ToInt64() will throw an exception if the value is not a valid long value. The example in the doc has catch blocks for various exceptions this method can throw.
There was a problem hiding this comment.
I'm guessing this is done so an object or a string can be converted to the correct value. Would it worth creating a bool TryConvertToInt64(obj, formatter, out long? convertedValue) method somewhere?
There was a problem hiding this comment.
@kartheekp-ms thanks for the feedback. @jgonz120 I like this suggestion. I've got this ready and will push changes in a moment.
There was a problem hiding this comment.
@kartheekp-ms @jgonz120 pushed an update that addresses this case and has a new test for invalid conversion scenarios.
...t.Clients/NuGet.PackageManagement.UI/Converters/GreaterThanThresholdToVisibilityConverter.cs
Outdated
Show resolved
Hide resolved
| { | ||
| return Visibility.Visible; | ||
| long intValue = System.Convert.ToInt64(value, culture); |
There was a problem hiding this comment.
I'm guessing this is done so an object or a string can be converted to the correct value. Would it worth creating a bool TryConvertToInt64(obj, formatter, out long? convertedValue) method somewhere?
…sion cases. - Only adding to VulnerableVersions dictionary if it does not already exist because the same version is installed in another project and only if it's added should we fire OnPropertyChanged.
|
Looking at the screenshot mentioned in the PR description, I think
|
| private readonly Dictionary<NuGetVersion, int> _vulnerableVersions = []; | ||
| public Dictionary<NuGetVersion, int> VulnerableVersions => _vulnerableVersions; |
There was a problem hiding this comment.
Is anything actually listening to VulnerableVersions ? Maybe I'm missing it in a binding somewhere?
There was a problem hiding this comment.
It's used here: https://github.com/NuGet/NuGet.Client/pull/6044/files#diff-5c15ee840d9063ec5f345761223159c7ecde0f058e0e0190e359adcfee761290R170
It was also supposed to be used in the XAML for the VulnerableVersions.Count but there's typo. I'm fixing the XAML binding now.
| } | ||
| } | ||
|
|
||
| private readonly Dictionary<NuGetVersion, int> _vulnerableVersions = []; |
There was a problem hiding this comment.
Is this field being used? I think it doesn't need both the field & property.
| OnPropertyChanged(nameof(VulnerableVersions)); | ||
| OnPropertyChanged(nameof(VulnerableVersionsString)); |
There was a problem hiding this comment.
nit: Ideally, a CollectionChanged event could be used to fire the appropriate OnPropertyChanged events when the collection gets changed.
There was a problem hiding this comment.
That's a really good point. This should be an observable set / dictionary that fires CollectionChanged when it gets updated, and we listen to that and fire any additional OnPropertyChanged as needed.
| // Returns latest transitive package version | ||
| e => Assert.Equal(new PackageIdentity("transitivePackageC", new NuGetVersion("0.0.2")), e.Identity)); | ||
| e => Assert.Equal(new PackageIdentity("transitivePackageC", new NuGetVersion("0.0.2")), e.Identity), | ||
| // Returns all the transtive packages that are not the latest verion |
There was a problem hiding this comment.
If they are sorted, why is transitivePackageC 0.0.2 asserted before version 0.0.1 ?
Are you planning to fix the typos I suggested?
| @@ -262,85 +262,105 @@ public IEnumerable<PackageItemViewModel> GetCurrent() | |||
| return Enumerable.Empty<PackageItemViewModel>(); | |||
| } | |||
|
|
|||
| var listItemViewModels = new List<PackageItemViewModel>(capacity: _state.ItemsCount); | |||
| var listItemViewModels = new Dictionary<string, PackageItemViewModel>(); | |||
There was a problem hiding this comment.
I'm trying to understand what the dictionary is being used for. Could someone explain how the same package would exist in _state.Results.PackageSearchItems multiple times? Ideally, a comment would be good here as well.
There was a problem hiding this comment.
@donnie-msft the changes made here: https://github.com/NuGet/NuGet.Client/pull/6044/files#diff-b1b2dd9d0be30f84d9309d08db86156cff27b5df8e43b54c13e90bfa5fbf72f9R38-R43 are related to this.
Let's see if I can explain this in a way that makes sense in a comment. :-) (This is actually the main reason I did the live code review meeting to explain this part). The Solution PM UI needs to know about all the versions installed across the solution, in each project, not just the latest version. For the Project PM UI, this will always only be the latest version because of how restore works. But limiting it to just the latest doesn't work in the solution because we can have the same package installed at different versions in different projects and since one of those can be vulnerable, not just the latest, we need to know all of the package versions for each package. As such, the InstalledAndTransitivePackageFeed will now return all the package versions. However, we want to create a single PackageItemViewModel so it shows up only once in the packages list. We keep track of the PackageItemViewModels we've created for that Package Id (the string key) and retrieve the view model if it was already created, so we can add the additional versions to it.
I hope this explanation helps! I can probably explain it better in real time so if you have questions or want a deeper dive, please set up a quick meeting and we'll go over this in more detail!
@kartheekp-ms We already fixed this. I thought the PR was completed but it looks like it's not merged yet. This fixes the issue: #6050. I'll ask @martinrrm to retarget dev and submit this fix after this PR goes in. |
Bug
Fixes: NuGet/Home#13216
Description
This feature brings to the Solution-level PM UI the Transitive Packages experience that we previously added to the Project-level PM UI. Additionally, we added new UX to the projects / versions grid in the Details Pane to show the package level of the selected package, as well as any vulnerabilities.
Accessibility localization PR #6051
Accessibility
Details pane
It has a minimum size so the columns will always look "good"
PR Checklist