feat: add advisor preview

[sangress]

Add advisor score to vscode extension

Score will show for packages with vulnerabilities, as shown in the following image:

To see this feature in action, use a package.json file with a package that known to have a score lower then 70, then hover with your mouse over the Advisor Score text with the mouse to see the advisor score details.
Example dependencies:

    "axios": "^0.20.0",
    "express": "^4.17.1",
    "firebase": "^5.8.2",
    "lodash": "^4.17.11",
    "numeral": "^2.0.6", # lower then 70
    "vue": "^2.5.21",
    "vue-router": "^3.0.6",
    "chino": "0.0.0", # lower then 70
    "vuejs": "3.0.1" # lower then 70

[CLAassistant]

All committers have signed the CLA.

[michelkaporin]

Names of the files should follow camel casing - see other files.

[sangress]

I did see other files before. For example: https://github.com/snyk/vscode-extension/blob/feat/advisor_score/src/snyk/common/commands/types.ts#L10

[michelkaporin]

I mean files, not types :)

[sangress]

Ohh, okay.

[michelkaporin]

We should rely on vscode abstractions instead, for testing purposes.

[sangress]

Please eleborate.

[michelkaporin]

When you write unit tests, "vscode" module cannot be resolved since tests run not within VS Code. To overcome this, we invert our dependency on vscode module through dependency inversion mechanisms. You can see inversions in src/snyk/common/vscode folder.

[michelkaporin]

This file contains mappings between local types and vscode API ones.
The following types are unrelated to vscode, thus shouldn't be part of /vscode/types.ts.

[michelkaporin]

Can we make use of existing configuration variables instead of hardcoding the link here? E.g. defaultAuthHost from configuration.ts

[michelkaporin]

Why do you need this map? Vulnerability Count doesn't relate to advisor.

[sangress]

Because we only show advisor score for packages that has vulnerabilities.

[michelkaporin]

Is it the case in IntelliJ Advisor integration as well? I didn't see the feature plan and tbh this wouldn't be my expectation 🤔

[sangress]

That's the requirements that I got from Oren - @snyk/advisor

[michelkaporin]

Please verify if we're aligned on that requirement with IntelliJ plugin.

[michelkaporin]

Errors should be reported via Logger class. See logger injection in other classes.

[michelkaporin]

This class should work with the same base Url for API. If there's a need to work with different API url, you either create another class or introduce type parameter here indicating what type of Snyk Api we want to POST to.

[sangress]

You want to create a new class just for a single method? I think it's a bit overkill and duplication of classes.

[michelkaporin]

It is important to follow single responsibility principle. Use another suggested option then, if you don't like another class. But first determine what's the difference between these two APIs and only then make a decision please.

[sangress]

I understand and I agree on that, it looks like a duplication now that I look at it. But I think this is not the case because apiClient is common and generic.
Another solution can be that we'll use a helper function/class that will return the right url according to the request method (in this case). What do you think about it?

[michelkaporin]

If you can keep single responsibility principle with a new function/class, then sure :) Sometimes it's better to duplicate rather than making a thing less comprehensible when glancing at the code.

[michelkaporin]

Please don't duplicate the code.

[sangress]

I moved it to common, how is that a duplication?

[michelkaporin]

snyk/vscode-extension/src/snyk/snykOss/constants/nativeModules.ts

[michelkaporin]

Issues found from quick glance:

1. When opening and closing tab, advisor score is not getting reported inline. It seems to show the score only if the extension is started when manifest file is opened.
2. Score is prefixed with pipe when no vuln count is shown.

3. Hover doesn't show where does the Advisor info come from. User can be misled and not know that it's actually Snyk. Please run this by UX.

[michelkaporin]

It's quite many comments I've left but it's much better after the last iteration 👍. Let's have a call when you will go through them. There are few bits that I still want to discuss.

Something you shouldn't also forget is testing the implemented bits 😉

[michelkaporin]

Can you revert file to the original? There's no need to write type for the variable, let's have changes clean for git blame to work fine when needed.

[michelkaporin]

As discussed offline, I'll be taking this PR over and merging it afterwards.

[michelkaporin]

Bless me for self approving it.

[michelkaporin]

Thank you for your work on it @sangress 👏

[sangress]

Thank you for your work on it @sangress 👏

Thanks @michelkaporin for mentioning.
It's good to see it live; it was my longest PR ever, but I did enjoy working on it.

Good luck with future features :)