feat: support toggling of recommendations (#795)

Author: Strum355

package.json

@@ -365,6 +365,11 @@
           "default": "",
           "description": "Specifies platform used for multi-arch images.",
           "scope": "window"
+        },
+        "redHatDependencyAnalytics.recommendations.enabled": {
+          "type": "boolean",
+          "default": true,
+          "description": "Toggles recommending Red Hat repositories"
         }
       }
     }

src/config.ts

@@ -13,6 +13,7 @@ class Config {
   telemetryId: string;
   stackAnalysisCommand: string;
   trackRecommendationAcceptanceCommand: string;
+  recommendationsEnabled: boolean;
   utmSource: string;
   exhortProxyUrl: string;
   matchManifestVersions: string;
@@ -91,6 +92,7 @@ class Config {
 
     this.stackAnalysisCommand = commands.STACK_ANALYSIS_COMMAND;
     this.trackRecommendationAcceptanceCommand = commands.TRACK_RECOMMENDATION_ACCEPTANCE_COMMAND;
+    this.recommendationsEnabled = rhdaConfig.recommendations.enabled;
     this.utmSource = GlobalState.UTM_SOURCE;
     this.exhortProxyUrl = this.getEffectiveHttpProxyUrl();
     /* istanbul ignore next */

src/dependencyAnalysis/diagnostics.ts

@@ -12,8 +12,9 @@ import { VERSION_PLACEHOLDER, GRADLE } from '../constants';
 import { clearCodeActionsMap, registerCodeAction, generateSwitchToRecommendedVersionAction } from '../codeActionHandler';
 import { buildErrorMessage } from '../utils';
 import { AbstractDiagnosticsPipeline } from '../diagnosticsPipeline';
-import { Diagnostic, Uri } from 'vscode';
+import { Diagnostic, DiagnosticSeverity, Uri } from 'vscode';
 import { notifications, outputChannelDep } from '../extension';
+import { globalConfig } from '../config';
 
 /**
  * Implementation of DiagnosticsPipeline interface.
@@ -44,11 +45,16 @@ class DiagnosticsPipeline extends AbstractDiagnosticsPipeline<DependencyData> {
                 const vulnerability = new Vulnerability(getRange(dependency), ref, dependencyData);
 
                 const vulnerabilityDiagnostic = vulnerability.getDiagnostic();
+                if (vulnerabilityDiagnostic.severity === DiagnosticSeverity.Information && !globalConfig.recommendationsEnabled) {
+                    return;
+                }
+
                 this.diagnostics.push(vulnerabilityDiagnostic);
 
                 const loc = vulnerabilityDiagnostic.range.start.line + '|' + vulnerabilityDiagnostic.range.start.character;
 
                 dependencyData.forEach(dd => {
+                    // TODO: we never use DiagnosticSeverity.Hint aka 3, so this always selects dd.remediationRef
                     const actionRef = vulnerabilityDiagnostic.severity < 3 ? dd.remediationRef : dd.recommendationRef;
                     if (actionRef) {
                         this.createCodeAction(loc, actionRef, dependency.context, dd.sourceId, vulnerabilityDiagnostic);
@@ -91,7 +97,7 @@ class DiagnosticsPipeline extends AbstractDiagnosticsPipeline<DependencyData> {
  */
 async function performDiagnostics(diagnosticFilePath: Uri, contents: string, provider: IDependencyProvider) {
     try {
-        const dependencies = await provider.collect(contents);
+        const dependencies = provider.collect(contents);
         const ecosystem = provider.getEcosystem();
         const dependencyMap = new DependencyMap(dependencies, ecosystem);
 

src/imageAnalysis/diagnostics.ts

@@ -10,8 +10,9 @@ import { AbstractDiagnosticsPipeline } from '../diagnosticsPipeline';
 import { clearCodeActionsMap, registerCodeAction, generateRedirectToRecommendedVersionAction } from '../codeActionHandler';
 import { executeImageAnalysis, ImageData } from './analysis';
 import { Vulnerability } from '../vulnerability';
-import { Diagnostic, Uri } from 'vscode';
+import { Diagnostic, DiagnosticSeverity, Uri } from 'vscode';
 import { notifications, outputChannelDep } from '../extension';
+import { globalConfig } from '../config';
 
 /**
  * Implementation of DiagnosticsPipeline interface.
@@ -41,12 +42,16 @@ class DiagnosticsPipeline extends AbstractDiagnosticsPipeline<ImageData> {
                 const vulnerability = new Vulnerability(getRange(image), image.name.value, imageData);
 
                 const vulnerabilityDiagnostic = vulnerability.getDiagnostic();
+                if (vulnerabilityDiagnostic.severity === DiagnosticSeverity.Information && !globalConfig.recommendationsEnabled) {
+                    return;
+                }
+
                 this.diagnostics.push(vulnerabilityDiagnostic);
 
                 const loc = vulnerabilityDiagnostic.range.start.line + '|' + vulnerabilityDiagnostic.range.start.character;
 
                 imageData.forEach(id => {
-                    if (id.recommendationRef) {
+                    if (id.recommendationRef && globalConfig.recommendationsEnabled) {
                         this.createCodeAction(loc, id.recommendationRef, id.sourceId, vulnerabilityDiagnostic);
                     }
 

src/vulnerability.ts

@@ -74,7 +74,7 @@ Recommendation: ${artifactData.recommendationRef || 'No Red Hat recommendations'
         const messages = this.artifactData.map(ad => {
             if (hasIssues && ad.issuesCount > 0) {
                 return this.generateVulnerabilityInfo(ad);
-            } else if (!hasIssues) {
+            } else if (!hasIssues && globalConfig.recommendationsEnabled) {
                 return this.generateRecommendation(ad);
             }
             return '';

test/vulnerability.test.ts

@@ -262,4 +262,26 @@ suite('Vulnerability tests', () => {
         const diagnostic = vulnerability.getDiagnostic();
         expect(diagnostic.severity).to.eql(DiagnosticSeverity.Error);
     });
+
+    test('should return diagnostic without recommendations', async () => {
+        config.globalConfig.recommendationsEnabled = false;
+
+        const mockDependencyData: MockDependencyData[] = [
+            new MockDependencyData('osv(osv)', 2, mockRecommendationRef, 'mockRemediationRef', 'HIGH'),
+        ];
+        const vulnerability = new Vulnerability(
+            mockRange,
+            mockMavenRef,
+            mockDependencyData
+        );
+
+        const diagnostic = vulnerability.getDiagnostic();
+        expect(diagnostic.message.replace(/\s/g, '')).to.eql(`
+            mockGroupId1/mockArtifact1@mockVersion
+
+            osv(osv) vulnerability info:
+            Known security vulnerabilities: 2
+            Highest severity: HIGH
+        `.replace(/\s/g, ''));
+    });
 });