CVE overhaul

[akbarkz]

Done

• This is a feature branch for CVE Overhaul story

QA

• Check out this feature branch
• Run the site using the command ./run serve or dotrun
• View the site locally in your web browser at: http://0.0.0.0:8001/
  • Be sure to test on mobile, tablet and desktop screen sizes

Issue / Card

Fixes https://warthogs.atlassian.net/browse/WD-162, #11216, #11591, #12056, #12055, #12054, #13024, #13386

Help

QA steps - Commit guidelines

[webteam-app]

Demo starting at https://ubuntu-com-13412.demos.haus/security/cves

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.49%. Comparing base (f29bbc1) to head (76a55d9).
Report is 160 commits behind head on main.

❗ Current head 76a55d9 differs from pull request most recent head 2756c5a

Please upload reports for the commit 2756c5a to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13412      +/-   ##
==========================================
+ Coverage   74.29%   74.49%   +0.19%     
==========================================
  Files         107      107              
  Lines        2871     2854      -17     
  Branches      964      954      -10     
==========================================
- Hits         2133     2126       -7     
+ Misses        712      704       -8     
+ Partials       26       24       -2     

see 5 files with indirect coverage changes

[juanruitina]

@mtruj013 Some final comments after having a comprehensive look at it all.

• Please change the icons for the Vulnerable statuses from p-icon--warning to p-icon--error in home, search results and about page (it's correct already on the individual CVE page). I agreed with @lyubomir-popov on this in the interim until we come up with custom icons.

In the home:

• Can you please add the u-responsive-realign styles to the "Learn more about CVEs..." and the "By Ubuntu release" link lists? So spacing is a bit better on mobile.
• Under "By Ubuntu release", can we generate the links dynamically? I see 24.04 is not there, and 23.10 is even when it's already out of support.
• "Other releases" should just point to https://ubuntu-com-13412.demos.haus/security/cves?q=

In the search results:

•  Please change "Affected packages" so it's just "Affected package", given we can't select more than one for the time being.
• Priority filters are still not working as expected: when selecting more than one, only the first option in the URL works: see https://ubuntu-com-13412.demos.haus/security/cves?q=&priority=medium&priority=high vs https://ubuntu-com-13412.demos.haus/security/cves?q=&priority=high&priority=medium
• For some reason it's not possible to select "Vulnerable" and another status in the filters.

In the individual CVE page:

• Please add "Learn more about Ubuntu priority" link at the bottom of the "Why is this CVE high priority?" section when section exists. Should point to https://ubuntu.com/security/cves/about#priority
• I accidentally stumbled upon this CVE, which doesn't seem to affect any release. Should we even list these? I feel tempted to change the notification to "No releases are affected by this CVE." and hide the table, but I worry it will be misleading.

• Spacing seems a bit off above the "Why is this CVE high priority?" heading. Maybe you can apply the ID and the scroll style to the H3 instead and get rid of the div container?
• When comparing this CVE with the live version I see the notes are missing. Is this because of the demo? (If there are no notes, the "Read the notes from the security team" link should be hidden).
• Please add a "What do statuses mean?" link after the "How can I get the fixes?" one.

In the About page:

• Add paper background

Very proud of our work here, I really think it's a great improvement.

[mtruj013]

Thanks @juanruitina! To answer some of your questions:

"Other releases" should just point to https://ubuntu-com-13412.demos.haus/security/cves?q=

This was already the case so that's why I've left it unchecked

I accidentally stumbled upon this CVE, which doesn't seem to affect any release. Should we even list these?

This is because we're filtering out packages which only have upstream statuses, prod version here. I do still think we should list these but hide the table as you suggested as it still seems like it has info people might want.

When comparing this CVE with the live version I see the notes are missing. Is this because of the demo?

No, it's because we were hiding notes if the priority reason existed. IIRC one of the cves we were testing against in a past pr had the same exact info for both sections so I was given the feedback to hide the notes of the reason was included in the payload. I think this is a better solution though (to not hide notes based on the existence of the priority reason I mean)