Skip to content

Feat tars first test change#1332

Draft
tarsnyk wants to merge 19 commits into
mainfrom
feat-tars-first-test-change
Draft

Feat tars first test change#1332
tarsnyk wants to merge 19 commits into
mainfrom
feat-tars-first-test-change

Conversation

@tarsnyk

@tarsnyk tarsnyk commented Jun 8, 2026

Copy link
Copy Markdown

Disables CLI path input field when 'manage binaries automatically' checkbox is ticked.

Screenshot 2026-06-08 at 11 56 05 AM

@tarsnyk tarsnyk requested a review from a team as a code owner June 8, 2026 15:57
@CLAassistant

CLAassistant commented Jun 8, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@snyk-io

snyk-io Bot commented Jun 8, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Architecture Inconsistency 🟠 [major]

The untrustedFolderLearnMoreURL is hardcoded to a VS Code documentation page. Since the Language Server supports IntelliJ and Visual Studio integrations, users in those IDEs will receive instructions that do not match their environment's workspace trust mechanisms. The code already contains a TODO indicating that this should branch based on the integration name (clientInfo.name), similar to how config_html.go handles IDE-specific UI strings.

const untrustedFolderLearnMoreURL = "https://docs.snyk.io/ide-tools/visual-studio-code-extension/workspace-trust"
Performance Risk 🟡 [minor]

The applyTruncation function iterates over all visible file labels and calls window.getComputedStyle via ensureMeasureFont for every label. getComputedStyle is a layout-triggering property that can cause significant 'layout thrashing' if the tree contains many visible file nodes (e.g. up to 50 in the auto-expanded state). This calculation should be cached or performed once per node type outside the loop to ensure UI responsiveness during expansion or resizing.

ensureMeasureFont(label);
📚 Repository Context Analyzed

This review considered 48 relevant code sections from 13 files (average relevance: 0.90)

});
document.addEventListener('mouseout', function(e) {
// Ignore moves between descendants of the same titled element.
if (tooltipTarget && !tooltipTarget.contains(e.relatedTarget)) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical: e.relatedTarget can be null when the cursor leaves the browser window. tooltipTarget.contains(null) throws a TypeError in strict WebView2 / Firefox builds, leaving the tooltip stuck on screen for the rest of the session.

Fix: if (tooltipTarget && e.relatedTarget && !tooltipTarget.contains(e.relatedTarget)) — AI review

</ul>
</div>
<div class="tree-node-row tree-node-row-info untrusted-action-row">
<button type="button" class="untrusted-trust-btn" data-action="trust-folder">Trust folders and continue</button>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical: This button has data-action="trust-folder" but there is no click handler for that action anywhere in tree.js (or any other JS file). Clicking it is a no-op — snyk.trustWorkspaceFolders is never dispatched. The untrusted-folder feature is visually present but non-functional. — AI review


// True when this scanner has findings but the active filters hide them all.
unfilteredCount := len(computeIssueStats(flattenIssues(allByProduct[p])).uniqueIssues)
hiddenByFilter := totalIssues == 0 && unfilteredCount > 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Fix: AllIssues includes issues suppressed by IssueViewOptions (OpenIssues=false, IgnoredIssues=false). When IVO hides all issues, unfilteredCount > 0 is true, so hiddenByFilter fires and the child node incorrectly says "No issues found with these filters" instead of the IVO-specific message ("Open issues are disabled", etc.). This is a semantic regression. The denominator should be the IVO-filtered-but-not-severity-filtered count, not the raw AllIssues count. — AI review

} else if scanRegistered && !scanning && totalIssues == 0 {
// Surfaces the ✅ tick's meaning on hover; the child node carries any
// filter-aware detail.
tooltip = "No issues found"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Fix: When hiddenByFilter == true, the scanner row tooltip unconditionally says "No issues found", but the child info node correctly says "No issues found with these filters". A user hovering the scanner row is misled into thinking there are no issues at all. Add hiddenByFilter to the tooltip condition:

if hiddenByFilter {
    tooltip = "No issues found with these filters"
} else if scanRegistered && !scanning && totalIssues == 0 {
    tooltip = "No issues found"
}
``` — AI review

// VS Code https://docs.snyk.io/ide-tools/visual-studio-code-extension/workspace-trust
// Visual Studio https://docs.snyk.io/developer-tools/snyk-ide-plugins-and-extensions/visual-studio-extension/visual-studio-workspace-trust
// JetBrains https://docs.snyk.io/developer-tools/snyk-ide-plugins-and-extensions/jetbrains-plugin/jetbrains-plugin-folder-trust
const untrustedFolderLearnMoreURL = "https://docs.snyk.io/ide-tools/visual-studio-code-extension/workspace-trust"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Fix: This URL is hardcoded to the VS Code workspace-trust doc. JetBrains and Visual Studio users see VS Code–specific docs when the untrusted-folder banner appears. The TODO comment documents the correct fix (config_html.go already does this via INTEGRATION_ENVIRONMENT). Please implement before merging — shipping wrong docs for two of three supported IDEs is a user-facing correctness bug. — AI review

Comment thread domain/ide/treeview/tree_html_test.go Outdated
assert.Contains(t, html, `id="expandAllBtn"`)
assert.Contains(t, html, `id="collapseAllBtn"`)
// IDE-1863: Expand/Collapse All buttons were removed from the toolbar in
// favour of per-scanner chevrons.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should Fix: favour triggers the misspell linter (favourfavor). This will fail make lint. — AI review

transform: translate(-50%, -75%) rotate(45deg);
}
[data-product-id].tree-node-has-children:not(.expanded) > .tree-node-row > .tree-chevron::before {
transform: translate(-75%, -50%) rotate(-45deg);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The collapsed chevron transform translate(-75%, -50%) rotate(-45deg) produces a left-pointing arrow. The comment above says "Points down when expanded, right when collapsed" — a right-pointing caret is the standard convention for a collapsed tree node. Check the rendered result; rotate(45deg) with translate(-50%, -75%) (same as the expanded state rotated to point right) may be the intended transform. — AI review

@bastiandoetsch

Copy link
Copy Markdown
Contributor

AI Review Summary — snyk/snyk-ls #1332

Verdict: Changes Requested — 2 Critical, 4 Should Fix, 1 Suggestion found in-diff.

Critical (block merge)

  1. Trust button dead-end (tree.html:157) — data-action="trust-folder" has no JS handler; clicking does nothing. snyk.trustWorkspaceFolders is never dispatched.
  2. Tooltip null crash (tree.js:827) — tooltipTarget.contains(e.relatedTarget) throws when cursor leaves the window (relatedTarget === null). Tooltip gets stuck.

Should Fix

  1. hiddenByFilter misattributes IVO suppression (tree_builder.go:244) — AllIssues counts issues hidden by IssueViewOptions (open/ignored toggles), not just severity filters. Causes wrong "with these filters" message when IVO settings hide everything.
  2. Tooltip contradicts child node (tree_builder.go:300) — Scanner row tooltip says "No issues found" even when hiddenByFilter == true; child node says "with these filters". Fix: check hiddenByFilter before setting tooltip.
  3. Hardcoded VS Code docs URL (tree_html.go:182) — JetBrains and Visual Studio users get VS Code–specific workspace-trust docs. The TODO documents the fix (branch on INTEGRATION_ENVIRONMENT like config_html.go).
  4. Lint failure: favourfavor (tree_html_test.go:323) — Triggers misspell linter, breaks make lint.

Suggestion

  1. Collapsed chevron direction (styles.css:221) — rotate(-45deg) produces a left-pointing arrow; comment says "right when collapsed". Verify the rendered result.

Also noted (out-of-diff)

  • filter-empty InfoVariant emitted as hidden with no JS to reveal it — appears to be dead UI for now (no WithInfoVariant("filter-empty") callsites).
  • WithInfoVariant / WithFolderPaths exported but uncalled — 0% coverage on these option functions.

Security

Clean. html/template auto-escapes folder paths; tooltip JS uses textContent throughout (no XSS). Pre-existing SCA vulns in golang.org/x/crypto and go-git are not introduced by this PR.

— AI review

@andrewrobinsonhodges-snyk andrewrobinsonhodges-snyk marked this pull request as draft June 11, 2026 08:27
@tarsnyk tarsnyk changed the base branch from main to feat/html-tree-view-ga June 22, 2026 16:32
Base automatically changed from feat/html-tree-view-ga to main June 23, 2026 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants