Default dependency list sort order icon is incorrect
Summary
The default sort order label and icon for the dependency list is currently asc
for vulnerability severity values
This would imply that the vulnerabilities should be sorted in ascending order, or info, unknown, low, medium, high, critical
, however, the vulnerabilities are actually sorted in descending order, or critical, high, medium, low, unknown, info
:
This means that the sort order is correct, but the sort order label and icon are incorrect.
It also means the backend tests are very confusing, such as this one:
context 'sorted by desc severity' do
let(:params) do
{
sort: 'desc',
sort_by: 'severity'
}
end
it 'returns array of data properly sorted' do
...
end
end
The above test shows that it's checking to make sure that the order is by sorted by desc severity
and it passes desc
as the sort order, yet it's actually ensuring that the severity order is info, unknown, low, medium, high, critical
, which is an ascending sort order.
The purpose of this issue is to change the sort order label to desc
, which will display the correct severity order icon in the dependency list and make the tests/code easier to maintain and understand.
Steps to reproduce
-
Visit dependency list page for a project: https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/dependencies
-
Expand some of the vulnerabilities and look at the severity values. Notice that they're sorted in decreasing order of severity value, with the highest/most important vulnerabilities listed first. This is what I would consider a descending sort order, for example: highest to lowest, largest to smallest, most important to least important, yet the sort order icon is ascending and the sort order that's sent to the backend endpoint is is also ascending (
asc
):dependencies.json?sort_by=severity&sort=asc
Example Project
https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/dependencies
What is the current bug behavior?
Dependency list shows ascending
icon for sorting dependencies by severity level, meanwhile the dependencies are sorted in the descending
order.
What is the expected correct behavior?
The icon for sorting the dependency list should match the current sort order.
Related discussions
See here for further details
Possible fixes
-
Change fetchDependencies to use a
desc
sort order by default when fetching the vulnerabilities from thedependencies.json
endpoint -
Update Security::DependencyListService#sort() and the other sorting methods in the file to ensure that
asc
order isinfo, unknown, low, medium, high, critical
anddesc
order iscritical, high, medium, low, unknown, info
-
Update the spec for Security::DependencyListService to make sure that all tests pass and use the correct sorting order and label.
For example, the test
sorted by desc severity
will need to be changedfrom:
context 'sorted by desc severity' do let(:params) do { sort: 'desc', sort_by: 'severity' } end it 'returns array of data properly sorted' do ... end end
to:
context 'sorted by asc severity' do let(:params) do { sort: 'asc', sort_by: 'severity' } end it 'returns array of data properly sorted' do ... end end