New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vulnerabilities): add option to add summary to dashboard #21766
feat(vulnerabilities): add option to add summary to dashboard #21766
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already hit character limits sometimes, how much will this add?
With the default configuration ( If we are talking about extreme edge cases e.g. big monorepos with a lot of CVEs, then the section can become big. As this is also marked as experimental, I think this fine as first iteration. |
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
…o `osvVulnerabilityAlerts`
How about something like:
And if there's a mix of CVEs, so with and without fixes:
|
How about:
|
Can we state how many have fixes rather than how many don't have fixes? |
Sure, that is possible. If we do that, the users have to compare the values in their head to find out if action from their side is necessary tough. With my proposal they would only need to glance at the section to see two highlighted numbers and they would know manual actions are necessary. |
Can it be like "7 of 7" then, so that you can still tell from a glance if action is required? |
Not sure, what the difference then to my initial proposal is tbh. Maybe we can fix that up then? |
To keep this moving ,here an adaption based on your feedback @rarkins .
|
Is there really a need to support osvVulnerabilityAlerts=false in combination with this feature? What's the use case for that? |
One use case would be that only a summary and no PRs are expected. TBH 90% cases users will activate this with |
I think users can still turn off PRs other ways (and if not we could make that happen). I'd like to simplify this so that it always prints a summary in the dashboard if that feature is enabled. |
Following up on your valid concerns in #20242 (comment), I think we shouldn't tightly couple these two config. Rather I can image that we provide presets for the different use cases. Or do you mean that |
I kinda like the simplicity of something along these lines:
|
Good point, let's keep it opt in with a second option |
@rarkins I have implemented the suggestion of setchy.
|
🎉 This PR is included in version 35.90.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Changes
This PR adds a configuration option
dependencyDashboardVulnerabilitySummary
to allow to add a summary to the dependency dashboard.Avaiable options are:
none
no section is addedunresolved
only vulnerabilities without fixes are displayedall
all vulnerabilities affecting the repository are listedContext
Fixes #20242
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via:
secustor/renovate-security-dashboard#8