gopls/internal/lsp/mod: reorder vulncheck quick fixes Nudge developers towards recommended actions by listing them first. More specifically, 0) Other diagnostics if any (e.g. errors in go.mod) 1) Run govulncheck 2) Upgrade to a specific version 3) Upgrade to latest 4) Reset govulncheck result Fixes golang/vscode-go#2576 Change-Id: Ib83f8dab5a1c5bea600fe1ec61701218c7a65ac1 Reviewed-on: https://go-review.googlesource.com/c/tools/+/461555 Reviewed-by: Robert Findley <rfindley@google.com> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> Reviewed-by: Suzy Mueller <suzmue@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> gopls-CI: kokoro <noreply+kokoro@google.com>

commit: d1e92d6abad47f7f97f43ef66290fae701527842 [log] [tgz]
author: Hana (Hyang-Ah) Kim <hyangah@gmail.com> Tue Jan 10 21:49:15 2023 -0500
committer: Hyang-Ah Hana Kim <hyangah@gmail.com> Mon Jan 30 20:48:47 2023 +0000
tree: bbea72fb786b755e8992eb1b9e6a82d72ebf1426
parent: 87d00e630f8e636e931862dcc993ca2eb9c88c1c [diff]
diff --git a/gopls/internal/lsp/mod/diagnostics.go b/gopls/internal/lsp/mod/diagnostics.go
index 25860ea..fdab833 100644
--- a/gopls/internal/lsp/mod/diagnostics.go
+++ b/gopls/internal/lsp/mod/diagnostics.go

@@ -527,34 +527,37 @@
 	if len(actions) <= 1 {
 		return actions // return early if no sorting necessary
 	}
-	var others []protocol.CodeAction
+	var versionedUpgrade, latestUpgrade, resetAction protocol.CodeAction
+	var chosenVersionedUpgrade string
+	var selected []protocol.CodeAction
 
 	seen := make(map[string]bool)
 
-	set := make(map[string]protocol.CodeAction)
 	for _, action := range actions {
 		if strings.HasPrefix(action.Title, upgradeCodeActionPrefix) {
-			set[action.Command.Title] = action
+			if v := getUpgradeVersion(action); v == "latest" && latestUpgrade.Title == "" {
+				latestUpgrade = action
+			} else if versionedUpgrade.Title == "" || semver.Compare(v, chosenVersionedUpgrade) > 0 {
+				chosenVersionedUpgrade = v
+				versionedUpgrade = action
+			}
+		} else if strings.HasPrefix(action.Title, "Reset govulncheck") {
+			resetAction = action
 		} else if !seen[action.Command.Title] {
 			seen[action.Command.Title] = true
-			others = append(others, action)
+			selected = append(selected, action)
 		}
 	}
-	var upgrades []protocol.CodeAction
-	for _, action := range set {
-		upgrades = append(upgrades, action)
+	if versionedUpgrade.Title != "" {
+		selected = append(selected, versionedUpgrade)
 	}
-	// Sort results by version number, latest first.
-	// There should be no duplicates at this point.
-	sort.Slice(upgrades, func(i, j int) bool {
-		vi, vj := getUpgradeVersion(upgrades[i]), getUpgradeVersion(upgrades[j])
-		return vi == "latest" || (vj != "latest" && semver.Compare(vi, vj) > 0)
-	})
-	// Choose at most one specific version and the latest.
-	if getUpgradeVersion(upgrades[0]) == "latest" {
-		return append(upgrades[:2], others...)
+	if latestUpgrade.Title != "" {
+		selected = append(selected, latestUpgrade)
 	}
-	return append(upgrades[:1], others...)
+	if resetAction.Title != "" {
+		selected = append(selected, resetAction)
+	}
+	return selected
 }
 
 func getUpgradeVersion(p protocol.CodeAction) string {

diff --git a/gopls/internal/regtest/misc/vuln_test.go b/gopls/internal/regtest/misc/vuln_test.go
index bbf99b3..e311356 100644
--- a/gopls/internal/regtest/misc/vuln_test.go
+++ b/gopls/internal/regtest/misc/vuln_test.go

@@ -503,16 +503,16 @@
 						msg:      "golang.org/amod has known vulnerabilities GO-2022-01, GO-2022-03.",
 						severity: protocol.SeverityInformation,
 						codeActions: []string{
-							"Upgrade to latest",
-							"Upgrade to v1.0.6",
 							"Run govulncheck to verify",
+							"Upgrade to v1.0.6",
+							"Upgrade to latest",
 						},
 					},
 				},
 				codeActions: []string{
-					"Upgrade to latest",
-					"Upgrade to v1.0.6",
 					"Run govulncheck to verify",
+					"Upgrade to v1.0.6",
+					"Upgrade to latest",
 				},
 				hover: []string{"GO-2022-01", "Fixed in v1.0.4.", "GO-2022-03"},
 			},
@@ -655,8 +655,8 @@
 						msg:      "golang.org/amod has a vulnerability used in the code: GO-2022-01.",
 						severity: protocol.SeverityWarning,
 						codeActions: []string{
-							"Upgrade to latest",
 							"Upgrade to v1.0.4",
+							"Upgrade to latest",
 							"Reset govulncheck result",
 						},
 						relatedInfo: []vulnRelatedInfo{
@@ -668,8 +668,8 @@
 						msg:      "golang.org/amod has a vulnerability GO-2022-03 that is not used in the code.",
 						severity: protocol.SeverityInformation,
 						codeActions: []string{
-							"Upgrade to latest",
 							"Upgrade to v1.0.6",
+							"Upgrade to latest",
 							"Reset govulncheck result",
 						},
 						relatedInfo: []vulnRelatedInfo{
@@ -679,8 +679,8 @@
 					},
 				},
 				codeActions: []string{
-					"Upgrade to latest",
 					"Upgrade to v1.0.6",
+					"Upgrade to latest",
 					"Reset govulncheck result",
 				},
 				hover: []string{"GO-2022-01", "Fixed in v1.0.4.", "GO-2022-03"},
commit	d1e92d6abad47f7f97f43ef66290fae701527842	[log] [tgz]
author	Hana (Hyang-Ah) Kim <hyangah@gmail.com>	Tue Jan 10 21:49:15 2023 -0500
committer	Hyang-Ah Hana Kim <hyangah@gmail.com>	Mon Jan 30 20:48:47 2023 +0000
tree	bbea72fb786b755e8992eb1b9e6a82d72ebf1426
parent	87d00e630f8e636e931862dcc993ca2eb9c88c1c [diff]