Curation Tool (aka YAML Builder)

[andymeneely]

Motivation

Currently, the curation process is a bit clunky, and we'd like to make it better. The current process is something like this:

1. Fork the repo
2. Find your YAML file
3. Create a PR for your yaml file
4. Read the questions in the YAML file
5. Edit the YAML file (and hope you edited properly).
6. Push to your fork
7. CI tells you your YAML syntax is wrong
8. Edit some more, repeating edit-push-ci until you're done
9. When ready, shepherd merges the PR

This is a lot of steps. Now, doing GitHub pull requests and the review process is really nice. But, answering the questions can be rather tricky and the feedback cycle is just too long. There's a lot of easy verification that could be done.

Proposed Feature: The "Curate" tool

This would be a web-based tool with two columns: questions on the left, and YAML on the right.

These questions would guide you through various questions and link you to various examples and resources. It would also check things while you worked, such as:

• Length of response, e.g. nickname
• Format of response, e.g. Git hash
• Any links are followed and verified
• Completed for the next level of curation
• Copy YML to clipboard

Must Haves

• Per-project templating of questions. Each project has a slightly different set of questions, and we'd need to configure a dropdown for each of those. We currently use skeleton files for this, e.g. here's httpds
• Populate from an existing YML - an "edit CVE-123-4567" and it'll get the YAML and populate it
• Link to the YML to edit, or maybe create a PR using query parameters
• Produces valid YML as you type

Nice to Haves

• Session storage so you can save your work
• Populate from existing PR - this might be trickier since we'd be interacting with the Github API
• Load from YML that was saved to your computer

Check the following:

• [x] I have checked the VHP backlog for something similar: https://github.com/VulnerabilityHistoryProject/vulnerability-history/issues
• [x] I have checked if this should also be part of a Github Project: https://github.com/VulnerabilityHistoryProject/vulnerability-history/projects?type=beta
• [x] I have checked that this might need dev infrastructure or refactor labels

[tomcat1030]

Thanks for kicking this off @andymeneely, we'll have to go over the details at some point, just to make sure I'm on the same page.

[andymeneely]

Another idea I'm getting from this latest curation round: what if we used github.dev and a made a VS Code extension that auto-validates your YAML and guides you through a curation? That way they can edit right in the browser and check their work.

Need to look into this more, but this might be a really nice solution.

[tomcat1030]

Interesting idea @andymeneely. I think I just found a dev for the originally planned curation tool, but let's discuss this idea more on Thursday!

[andymeneely]

The "turbo tax" of vulnerability curations. That kind of guided wizard UI.

Or some of the slick survey tools questions.

[andymeneely]

The 23andme survey UI is one that was really slick for this

[andymeneely]

I came across this nice analysis of the TurboTax UX: https://uxdesign.cc/https-medium-com-ux-ui-analysis-of-turbotax-171c86d80a41