search

sonatype-nexus-community / vscode-iq-plugin

Visual Studio Code plugin for Nexus IQ
MIT License
18 stars 21 forks source link

[BUG] Main panel is not populated with CVE information when working on a remote system by SSH #241

Open pjotawake opened 1 year ago

pjotawake commented 1 year ago

Description When using the plugin through an SSH connection, it detects the vulnarbilities, however, it never shows the information of the CVE's in the main panel.

To Reproduce Setup Visual Studio Code to use remote development by SSH ( see https://code.visualstudio.com/docs/remote/ssh ). Then add some malicious pip extensions and let the plugin detect the vulnerabilities, The Explorer panel will show a list with Sonatype Scan Results. Clicking on one of the results then does not populate the main panel with information about the CVE.

Expected behavior Clicking on one of the results should populate the main panel with information about the CVE.

Screenshots image

Desktop (please complete the following information):

Additional context The machine with VSCode is a Windows machine, the remote system has Ubuntu Linux.

cc @bhamail / @DarthHater

madpah commented 1 year ago

Hi @pjotawake - thanks for taking the time to raise an Issue!

So we can investigate further, are you able to share the complete log file? The location of this will be the first line of the output in the Output Tab with Sonatype IQ Extension selected (as per your screenshot).

Thanks!

pjotawake commented 1 year ago

Hi @madpah , please find the requested logging attached. vscode.log

madpah commented 1 year ago

Thanks @pjotawake - and can you confirm that this log includes you clicking on an item in the Tree View after the scan completes?

FYI - your log is missing some log entries that we'd expect to see (for seemingly no reason).

Appreciate you coming back to us.

pjotawake commented 1 year ago

Yes, confirmed. I only have changed the URL and the workspace username in that logging. I have collected the logging after the scan and then after 2 clicks in the Tree View.

Regards, P

madpah commented 1 year ago

Thanks @pjotawake - bit stumped here then. What we'll do is look to get a new release out in the coming week or so with some increased logging to see if we can track down where things are stopping / failing.

pjotawake commented 1 year ago

Thanks @madpah ! Looking forward to the new release. As soon as it is available, I'll test it again and let you know the results.

madpah commented 1 year ago

@pjotawake - we've just published a quick release with some additional logging in it (version 1.3.1). May take a few minutes to show in the VS Code Marketplace, but would absolutely appreciate you taking the time to re-test and share logs with this version when time permits.

My suspicion is that scripting may be being blocked on your system for some reason. The Component Detail view is essentially a local IFRAME which Javascript enabled. Just an idea - lets see what the logs reveal!

pjotawake commented 1 year ago

@madpah - first I have removed the old 1.2.5 extension altogether, both from my workstation and also from the remote system, also I manually deleted the directories related to the Sonatype IQ plugin. Rebooted the remote system to make sure not some VSCode process is still hanging around. Then installed the new 1.3.1 version from scratch. Even though the logging in your updated version says "showAllVersions PostMessage: allversions", my main panel mysteriously remains empty. Also, I can see action happening in the trace logging when opening the tab which should display the details about the CVE. However, no HTML is rendered. The Marketplace is being displayed without a problem, but I am not sure if it uses the same webView? sonatype.log vscode-error2

pjotawake commented 1 year ago

Because of the "webView" in the new logging I now know what to look for. In the debugging of the main panel I can see the following line, confirming your suspicion:

2023-02-23 13:25:13.135 [info] update#setState idle 2023-02-23 13:25:15.561 [info] Starting extension host with pid 1740 (fork() took 87 ms). 2023-02-23 13:25:43.139 [info] update#setState checking for updates 2023-02-23 13:25:43.153 [info] update#setState downloading 2023-02-23 13:25:43.159 [info] update#setState ready 2023-02-23 13:29:17.280 [error] Blocked vscode-webview request vscode-webview://0i12tjhrc6fkgm8166rii3ob28qkkju95ed58ska5s2haretjqtu/index.html?id=0bdffda8-107e-43ed-83e4-7a4b9448eca1&origin=5ae2ead0-60e0-4ef7-960e-d6a4f6c4b28e&swVersion=4&extensionId=SonatypeCommunity.vscode-iq-plugin&platform=electron&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&parentOrigin=vscode-file%3A%2F%2Fvscode-app&remoteAuthority=ssh-remote%2Bsystem

madpah commented 1 year ago

@pjotawake - great find!

Is this something you can work around? Would be really interested to find out the system setting that is causing this to be blocked so we can add to the documentation!

pjotawake commented 1 year ago

@madpah previously I also was unable to use the plugin on my local laptop, but thanks to the additional logging in 1.3.1 I was able to see the reason(s) for this. One of them being an SSL error for which I have to set the variable NODE_TLS_REJECT_UNAUTHORIZED to 0 (even though the setting "strict SSL" is not enabled). So now, when I am developing locally on my laptop, everything works.

When comparing the (correct) logging of the local situation on my laptop to the logging in case of the remote machine, the following interesting logging can be observed on the remote machine:

2023-03-02 10:51:03.609 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> Launched Extension Host Process. 2023-03-02 10:51:11.603 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> includeDev set to false for Application api 2023-03-02 10:51:11.606 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> Grabbing PyPi dependencies from Application api... 2023-03-02 10:51:20.850 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> Components Size before push for api is 0 2023-03-02 10:51:20.851 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> Components Size AFTER push for api is 13 2023-03-02 10:51:46.473 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> loadHtmlForWebview undefined 2023-03-02 10:51:46.476 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> Update called 2023-03-02 10:51:46.479 [info] [127.0.0.1][c581cbb8][ExtensionHostConnection] <245444> showAllVersions <ref *1> ComponentEntry {

It seems that the loadHtmlForWebview is not working on the remote machine?

Also, in the working situation, we see the following when clicking a version of fastapi in the list down left of the screen:

TRACE: loadHtmlForWebview called TRACE: showAllVersions TRACE: showAllVersions after getAllVersions() TRACE: Begin Get All Version Details: pkg:pypi/fastapi?extension=tar.gz TRACE: WebView received message with command: selectVersion TRACE: Begin Show Selected Version: pkg:pypi/fastapi@0.85.1?extension=tar.gz TRACE: Got Component Details OK TRACE: showAllVersions after getAllVersionDetails()

But in case of the remote machine:

TRACE: loadHtmlForWebview called TRACE: showAllVersions TRACE: showAllVersions after getAllVersions() TRACE: Begin Get All Version Details: pkg:pypi/fastapi?extension=tar.gz TRACE: Got Component Details OK TRACE: showAllVersions after getAllVersionDetails()

So we're missing the messages Begin Show Selected and WebView received message with command: selectVersion there.

Best regards

madpah commented 1 year ago

FYI @ctownshend ^^