Protect: Threat History Enhancements

[nateweller]

Related to #38117

Proposed Changes:

1. Move threat history to it's own route and page. Add routes for /scan/history and /scan/history/:filter.
2. Update navigation and filtering UI.

Testing Instructions:

• Review both the /scan and /scan/history pages in Jetpack Protect:
  • Free plan (Protect report, no history)
  • Paid plan (Scan report with history)
  • No threat history
  • Fixed and ignored threats
  • Fix or ignore threat from scanner, visit history tab

Does this pull request change what data or activity we track or use?

No

Screenshots

Scanner page:

History page:

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• 🔴 Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• 🔴 Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

🔴 Action required: Please include detailed testing steps, explaining how to test your change, like so:

## Testing instructions:

* Go to '..'
*

---

🔴 Action required: Please add missing changelog entries for the following projects: projects/plugins/protect

Use the Jetpack CLI tool to generate changelog entries by running the following command: jetpack changelog add.
Guidelines: /docs/writing-a-good-changelog-entry.md

---

Once your PR is ready for review, check one last time that all required checks appearing at the bottom of this PR are passing or skipped.
Then, add the "[Status] Needs Team Review" label and ask someone from your team review the code. Once reviewed, it can then be merged.
If you need an extra review from someone familiar with the codebase, you can update the labels from "[Status] Needs Team Review" to "[Status] Needs Review", and in that case Jetpack Approvers will do a final review of your PR.

---

Protect plugin:

• Next scheduled release: August 6, 2024.
• Scheduled code freeze: July 29, 2024.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/protect-threat-history-refactor branch.

  • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack add/protect-threat-history-refactor
  

  bin/jetpack-downloader test jetpack-mu-wpcom-plugin add/protect-threat-history-refactor
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[dkmyta]

Summarizing a little of what we discussed in Slack and adding a few further comments, questions, nitpicks. Sorry if its a lot, having worked on this the past few weeks a lot of the challenges I faced are fresh in my mind so I wanted to ensure we at the very least discussed them.

I think it would be helpful to be able to filter the scan history results so a user doesn't have the scroll way down and sift through results (if they have a lengthy history) to find what they might be looking for. Obviously pagination would help, but since the list is sorted by fixedOn date currently, being able to filter by plugin, theme, core, database, file like we can the scan results could also be useful here.

If we do keep the same format for the navigation sidebar, should we keep the other related items eg - 1 threat found subheading in the Summary and All threats title in the ThreatList:

Non-blocking nitpick - I see the Scan now button is now under the message in the EmptyList component on the ScanPage, but it could use some top-margin so its appropriately spaced out from the text above?

I believe we'll need error handling on the ScanHistoryPage, like we do for the ScanPage when the endpoint returns an unexpected result. Further to that, we'll want a way to get from the ScanPage error/unavailable and scanning state to the ScanHistoryPage and vice-versa. I don't believe a loading state is necessary for the scan history as the retrieval is nearly immediate - if necessary, perhaps the button could set the loading prop in a situation where it might take slightly longer (the initial API call)?

Non-blocking nitpick, the Scanner/ History ButtonGroup component was initially confusing to me. At first glance it looked like two buttons that were missing a gap and having the Scan now button beside the Scanner button felt odd (I see this part already changed though). Once I understood the reasoning for it, it did grow on me, but I think it might still be less confusing to just display the History or Scanner button conditionally based on the path? That will make it easier to address the above point because we'd only need one or the other in those cases.

A lot of what I removed/refactored on the ScanPage in the base PR I think is still relevant - there were things we were setting that were unused or duplicated and the structure was becoming confusing. I think it's worth going over that once more and ensuring we get it fixed up in this process.

With regard to the ScanHistoryPage empty list content, I wonder if now that we can be certain what filter is being applied (ignored or fixed) based on the URL, we can update the text to express that - eg. So far, there are no **fixed** threats in your scan history...

When a threat is in the ignored historic results, we still allow users to fix it if that is an option in Calypso, I think we'll want to maintain that here as well. On that note, as we discussed briefly in Slack, when you ignore then unignore a threat (only possible from VPMC currently), it will show up in the current threats list but with all the conditional content of the a historic list item. It appears it does because it retains the status of ignored after that process is complete.

I am not sure if this was always an issue but a ThreatsList item for a WordPress version threat could use some improvement, or at least a title to explain immediately what the threat is related to. Currently, it appears like so:

[dkmyta]

You mentioned previously that there might be casing conversion function in the redux store somewhere, if even necessary anymore we'll want to ensure we get this part fixed up with that or remove it if not.

[nateweller]

Closing in favour of #38325