✨ Provide CWE Selector

[C-Valen]

OSIDB-3743 CWE Selector UI

Checklist:

• Commits consolidated
• Changelog updated
• Test cases added/updated
• Jira ticket updated

Summary:

Update for the OSIM UI to provide a CWE Selector using suggestions to help users.
Corrections in the Mitre service logic

Changes:

• Corrects CweService.ts to use the proper data for weaknesses
• Adds new CweSelector component to be used in the flaw form
• Adds keyboard navigation to the dropdown menu
• Adds new test cases and update snapshots

Considerations:

• Depends on ✨ OSIDB-3480: CWE api service implementation #521

Closes OSIDB-3743

[MrMarble]

We need to fix the event handler, other comments are minor changes

[MrMarble]

Why add the event to the window instead of the DOM node? just use @keydown on the element like we do with @click.

Also if we add an eventListener manually we need to take care of removing it, since it is added to the window the event is not destroyed even if the component is unmounted, so the event is always listening, this is a memory leak, also, each time the component is mounted a new event is added without removing the old one, so it will trigger multiple times.

See this playground as an example https://play.vuejs.org/

In case this is needed we could remove it like this:

onUnmounted(() => {
  window.removeEventListener('keydown', handleKeyDown);
});

[MrMarble]

Because the event is on window even if I'm not focus on it, it will trigger the handler

Screencast.From.2025-01-27.10-12-13.mp4

[MrMarble]

I know we do this everywhere, but it is needed? ZodError won't be null as far as I know, is either defined or undefined

Suggested change

	error?: null | string;
	error?: string;

[MrMarble]

We should export the constant in the service and use it instead of this magic string

osim/src/services/CweService.ts

Line 4 in 7fd876d

const DATA_KEY = 'CWE:API-DATA';

[MrMarble]

We could use bootstrap classes for this

Suggested change

	class="item gap-1"
	:class="{'selected': index === selectedIndex }"
	style="display: flex; justify-content: space-between;"
	class="item gap-1 d-flex justify-content-between"
	:class="{'selected': index === selectedIndex }"

[MrMarble]

I don't know if we should use thestyle attribute when we also have custom css.
Bootstrap provides flex-grow-X and flex-shrink-X classes, but they are a bit verbose, maybe we could use a class flex-1 and flex-3 and use that instead, that way if the style needs to change only the class needs to be updated and not each component individually

[MrMarble]

Same here, no need for props.

Suggested change

	:error="props.error"
	:error

[MrMarble]

All the tests make use of the vm attribute to access internal state, but none of them tests actual component behavior, the functions may work but how do we know they are triggered when a user clicks something or enter text in the searchbox?

[superbuggy]

Agreed, I have been trying to pay closer attention to the tests I write testing the UI and not the business logic of a component. That said, composables make sense to test for business logic though.

[MrMarble]

Make it at least a VueWrapper so the exists, html and vm properties work.

Suggested change

	let wrapper: any;
	let wrapper: VueWrapper<any>;

[MrMarble]

is this necessary? we are not mocking those components

[MrMarble]

If the user already has the CWE:API-DATA localStorage object, all these new properties will not exists until the version of mitre is updated, since we haven't published the cwe selector to prod I don't think we should handle it, just keep in mind to tell the users to clean the localStorage if they are testing this, as some of it could fail

Actually it fails, the getUsageClass from CweSelector fill throw an error because usage is undefined and the call to .toLowerCase() fails

[MrMarble]

You added the class but forgot to remove the style

Suggested change

	class="item gap-1 d-flex justify-content-between"
	:class="{'selected': index === selectedIndex }"
	style="justify-content: space-between;"
	class="item gap-1 d-flex justify-content-between"
	:class="{'selected': index === selectedIndex }"

[superbuggy]

Left some suggestions, and a couple of minor change requests

[superbuggy]

We're sort of split between usage of null and undefined in the codebase, but maybe undefined is better as a props default since the null values should come from the errors in useFlawModel

[superbuggy]

I think I like what you have here better than the default nulls we have elsewhere

[superbuggy]

Safest to wrap this in a try/catch block

[superbuggy]

Is this to defer/delay the click event until the query has been parsed into a suggestion?

[C-Valen]

Not exactly. That is to ensure the suggestions and query have been updated in the DOM before the optional callback function (fn) is processed.
For example in the scenario of triggering the abort action (pressing ESC) just after clicking a suggestion.

[superbuggy]

That makes sense, would you mind adding a comment to that effect (waiting for 'abort'/'commit' events)?

[superbuggy]

Suggested change

	onMounted(() => {
	loadCweData();
	});
	onMounted(loadCweData);

[superbuggy]

Suggested change

	<i v-show="cwe.summary != ''" class="icon bi-info-circle" :title="cwe.summary" />
	<i v-show="cwe.summary !== ''" class="icon bi-info-circle" :title="cwe.summary" />

unless this is what you want, then I think this would be equivalent:

Suggested change

	<i v-show="cwe.summary != ''" class="icon bi-info-circle" :title="cwe.summary" />
	<i v-show="cwe.summary" class="icon bi-info-circle" :title="cwe.summary" />

[superbuggy]

I wonder if it would be better to mock loadCweData here or use a localstorage mock, then test something in the UI showing up as a result, otherwise we're effectively testing Vue internals and JavaScript LocalStorage