[BUG] Main panel is not populated with CVE information when working on a remote system by SSH

[pjotawake]

Description
When using the plugin through an SSH connection, it detects the vulnarbilities, however, it never shows the information of the CVE's in the main panel.

To Reproduce
Setup Visual Studio Code to use remote development by SSH ( see https://code.visualstudio.com/docs/remote/ssh ). Then add some malicious pip extensions and let the plugin detect the vulnerabilities, The Explorer panel will show a list with Sonatype Scan Results. Clicking on one of the results then does not populate the main panel with information about the CVE.

Expected behavior
Clicking on one of the results should populate the main panel with information about the CVE.

Screenshots

Desktop (please complete the following information):

• OS: Windows
• NodeJS Version: 16.14.2
• VS Code Version: 1.74.3
• Version of Extension: 1.2.5

Additional context
The machine with VSCode is a Windows machine, the remote system has Ubuntu Linux.

cc @bhamail / @DarthHater

[madpah]

Hi @pjotawake - thanks for taking the time to raise an Issue!

So we can investigate further, are you able to share the complete log file? The location of this will be the first line of the output in the Output Tab with Sonatype IQ Extension selected (as per your screenshot).

Thanks!

[pjotawake]

Hi @madpah , please find the requested logging attached.
vscode.log

[madpah]

Thanks @pjotawake - and can you confirm that this log includes you clicking on an item in the Tree View after the scan completes?

FYI - your log is missing some log entries that we'd expect to see (for seemingly no reason).

Appreciate you coming back to us.

[pjotawake]

Yes, confirmed. I only have changed the URL and the workspace username in that logging. I have collected the logging after the scan and then after 2 clicks in the Tree View.

Regards, P

[madpah]

Thanks @pjotawake - bit stumped here then. What we'll do is look to get a new release out in the coming week or so with some increased logging to see if we can track down where things are stopping / failing.

[pjotawake]

Thanks @madpah ! Looking forward to the new release. As soon as it is available, I'll test it again and let you know the results.

[madpah]

@pjotawake - we've just published a quick release with some additional logging in it (version 1.3.1). May take a few minutes to show in the VS Code Marketplace, but would absolutely appreciate you taking the time to re-test and share logs with this version when time permits.

My suspicion is that scripting may be being blocked on your system for some reason. The Component Detail view is essentially a local IFRAME which Javascript enabled. Just an idea - lets see what the logs reveal!

[pjotawake]

@madpah - first I have removed the old 1.2.5 extension altogether, both from my workstation and also from the remote system, also I manually deleted the directories related to the Sonatype IQ plugin. Rebooted the remote system to make sure not some VSCode process is still hanging around. Then installed the new 1.3.1 version from scratch.
Even though the logging in your updated version says "showAllVersions PostMessage: allversions", my main panel mysteriously remains empty. Also, I can see action happening in the trace logging when opening the tab which should display the details about the CVE. However, no HTML is rendered.
The Marketplace is being displayed without a problem, but I am not sure if it uses the same webView?
sonatype.log

[pjotawake]

Because of the "webView" in the new logging I now know what to look for. In the debugging of the main panel I can see the following line, confirming your suspicion:

2023-02-23 13:25:13.135 [info] update#setState idle
2023-02-23 13:25:15.561 [info] Starting extension host with pid 1740 (fork() took 87 ms).
2023-02-23 13:25:43.139 [info] update#setState checking for updates
2023-02-23 13:25:43.153 [info] update#setState downloading
2023-02-23 13:25:43.159 [info] update#setState ready
2023-02-23 13:29:17.280 [error] Blocked vscode-webview request vscode-webview://0i12tjhrc6fkgm8166rii3ob28qkkju95ed58ska5s2haretjqtu/index.html?id=0bdffda8-107e-43ed-83e4-7a4b9448eca1&origin=5ae2ead0-60e0-4ef7-960e-d6a4f6c4b28e&swVersion=4&extensionId=SonatypeCommunity.vscode-iq-plugin&platform=electron&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&parentOrigin=vscode-file%3A%2F%2Fvscode-app&remoteAuthority=ssh-remote%2Bsystem