New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add recommended Git versions chart #174
Conversation
700a37b
to
c10df06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks exciting 👍
<canvas data-type="recommended-git-versions"></canvas> | ||
<div class="info-box"> | ||
<p> | ||
Shows how many users connected with recommended, outdated, and vulnerable Git clients. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure ATM... does it work for SSH? It sure does for HTTPS.
In addition, maybe we should mention that the number are only correct for command line Git clients and UI's that use the command line Git clients under the hood (e.g. SourceTree). GitHub Desktop, SmartGit, etc might have a different name in the logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good points. I’ll have to check, and I’ll update the descriptions accordingly. If you have any suggestions, feel free to submit a new suggested change (I’ve never tried them out before).
@larsxschneider: Thanks for your thorough and constructive review! I’ll address your points as discussed above. |
c10df06
to
4aa0007
Compare
@larsxschneider: I was so busy in the last weeks, but let’s try and get this merged in the next days. What do you think are the blockers here? I’d prefer to merge a minimal version of this soon, and we can still address the other issues later as necessary. |
4aa0007
to
aff3219
Compare
The “git-versions.json” file contains information about the public releases of Git. This includes all stable versions along with their release dates as well as a list of all publicly disclosed Git vulnerabilities and which versions they affect. The intent of this file is to be able to discern which Git versions are not recommended for productive use, because they are outdated or affected by known vulnerabilities. This file is up-to-date as of 2019-02-27 and including Git 2.21.0 as well as CVE-2018-17456. Git versions before 2.0.0 and vulnerabilities in versions released before 2017 were omitted for simplicity, because all Git versions earlier than that are affected by at least one vulnerability known before this was implemented anyway.
This script fetches all Git release tags and their publication dates from the official Git repository and updates the “git-versions.json” file with the new list of Git versions. This is useful to regularly update the Git release JSON database without having to manually look up the latest Git releases.
This adds manually crafted data for the detailed Git versions report, which simulates Git version upgrade trends with a large user base.
These functions add support for parsing and comparing versions according to the semantic versioning specification [1]. In addition, a function is provided to check whether a given version fulfills a compound version requirement such as “>2.9 <= 2.19.2”. All functions are covered by unit tests. This temporarily allows the functions related to semantic versioning to be unused in the ESLint configuration, because they will only be used in a subsequent commit, and ESLint would complain otherwise. [1] https://semver.org/
This introduces the GitVersionsDatabase class, which loads and stores the Git release information previously added. Additionally, the database flags which Git versions are recommended, outdated, and vulnerable. A Git version is considered vulnerable at a specific date if there existed a vulnerability that was publicly disclosed at that time. A client is counted as outdated if there was a newer patch release available at that date. All Git clients that are neither vulnerable nor outdated by these definitions are recommended for productive use. To detect outdated and vulnerable versions, Git versions are compared against the affected version ranges stated in the Git release database according to the semantic versioning specification. Unit tests ensure the correct annotation of recommended, outdated, and vulnerable versions in the database.
This adds area charts as a new chart type. Area charts visualize datasets not as single lines starting from 0 but as stacked areas. Area charts are useful to visualize data that is comprised of multiple parts that add up to a total. In this way, the sum of all datasets can easily be tracked as well as the relative distribution of the individual parts.
This adds a chart that shows how many users are using Git clients that are recommended, outdated, and vulnerable as a stacked area chart. The chart obtains its data from the previously introduced Git release database and uses an area chart for visualizing the results. The actual recommended Git versions chart is built on top of the area chart and performs only the operations necessary to prepare the data accordingly. The unit tests cover the correct computation of how many versions were recommended, outdated, and vulnerable at a given date based on recorded usage data.
With this patch, the Git release database is preferentially retrieved online from the official Hubble demo page [1] if it is accessible. This has the advantage that users will see more recent Git version information than is locally available on their local installation (which dates back to the respective release date). The idea is to regularly update the Git release database in the public repository to make recent information about vulnerabilities immediately visible to Hubble users. In the case that the remote copy of the Git release database is not accessible (for instance, because of corporate network restrictions), the local copy will be used as a fallback. [1] https://autodesk.github.io/hubble/assets/js/git-versions.json
This adds support for a new option that automatically normalizes a stacked area chart. With normalization turned on, the area chart will render the datasets with relative values and adjust the y axis to show percentages instead of absolute values. This is interesting for the recommended Git versions chart, where it makes sense to show the relative number of recommended clients in order to track upgrade trends better.
This adds an option to specify custom colors for datasets in the area chart. This is done through a mapping from dataset IDs to color specifiers chosen from a built-in list of color names. With this option, the recommended Git versions chart is colorized such that vulnerable versions are rendered red, outdated ones yellow, and recommended ones green.
In the event that some Git version was recorded that isn’t known to the Git release database, this patch introduces an “unknown” dataset that is invisible otherwise.
aff3219
to
2bce45f
Compare
@larsxschneider: If you don’t object, I’ll merge this pull request tomorrow. Let’s open separate issues and pull requests for the open ends. |
This adds a chart that shows how many users are using Git clients that are recommended, outdated, and vulnerable as a stacked area chart.
Screenshot
Details
A Git version is considered vulnerable at a specific date if there existed a vulnerability that was publicly disclosed at that time. A client is counted as outdated if there was a newer patch release available at that date. All Git clients that are neither vulnerable nor outdated by these definitions are recommended for productive use.
The chart obtains its data from the previously introduced Git release database. The
GitVersionsDatabase
class reads this database and flags Git versions according to the recommended/outdated/vulnerable classification. For this to work, Git versions are compared against the affected version ranges stated in the Git version database according to the semantic versioning specification.For visualizing the results, a new area chart is implemented. The actual recommended Git versions chart is built on top of the area chart and performs only the operations necessary to prepare the data accordingly.
I manually crafted demo data to visualize the chart on autodesk.github.io/hubble and for the unit tests to work.
Unit tests cover parsing and comparing semantic versions, the correct annotation of recommended, outdated, and vulnerable versions in the database, and the correct computation of how many versions were recommended, outdated, and vulnerable at a given date based on recorded usage data.
Neat Features
Stacked area charts are now available (a731866) and include customization options such as whether or not to normalize the data (14f95b8) and custom color selection for the datasets (516239d).
The Git release database is preferentially retrieved from autodesk.github.io/hubble if accessible to obtain more recent data (d73269a). If the online database file can’t be reached, the local copy will be used as a fallback. I also added a script to easily update the Git release database in the future (e8f00fa). All we need to do is invoke this script and publish these changes on the
master
branch, and the most recent Git version information will immediately be available to all Hubble users.Notes
I spent a lot of time dissecting this huge pull request into easy-to-review commits. So this pull request is best reviewed commit by commit.
This implementation leverages many ECMAScript 6 features that we didn’t use before (classes, for-of loops, etc.) and that are widely supported by browsers. While I know that this introduces inconsistencies with the existing code base, I think that this change is for the better. I’ll go over the existing chart implementations and adjust them in analogy to what I implemented for area charts and the recommended Git versions chart.