Add pipeline to unfurl affected VERS range in V2 impacts #1995
Conversation
- Resolves Create pipeline to unfurl version ranges #1967
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
|
|
||
| affecting_vers = models.TextField( | ||
| blank=True, | ||
| null=True, |
There was a problem hiding this comment.
IMO, we should have a check that at least one of affecting_vers or fixed_vers should exist while creating/saving an object
There was a problem hiding this comment.
We’re being bit flexible in what we accept to make sure we at least store the base purl, even if we don't get affecting or fixed vers. And if there are no affecting or fixed vers, we will not attempt to unfurl no harm done.
|
|
||
| return package, is_created | ||
|
|
||
| def bulk_get_or_create_from_purls(self, purls: List[Union[PackageURL, str]]): |
There was a problem hiding this comment.
Shall we have a boolean to mark if an impactd package is unfurled, so we do not unfurl that again
There was a problem hiding this comment.
We should not optimize for this right now, as sometimes during run we may not get complete list of versions due to timeout or network issue, and we don't want to skip processing them in our next pass.
| for impact in progress.iter(impacted_packages): | ||
| purl = PackageURL.from_string(impact.base_purl) | ||
| if not impact.affecting_vers or not any( | ||
| c in impact.affecting_vers for c in ("<", ">", "!") |
There was a problem hiding this comment.
Won't this ignore:
vers like this?
=1.0.0 or ^1.2.0
There was a problem hiding this comment.
No, this is a vers string, and VERS spec only allows >, <, and ! for comparison.
|
|
||
| try: | ||
| versions = [version_class(v) for v in versions] | ||
| except Exception as e: |
There was a problem hiding this comment.
Let's return an empty list by default, since the calling side expects something to iterate upon
There was a problem hiding this comment.
If no purls are returned, we will skip processing the current impact right away and go no further.
| affected_packages_v2 = PackageV2.objects.bulk_get_or_create_from_purls(purls=purls) | ||
|
|
||
| relations = [ | ||
| relation(impactedpackage=impact, packagev2=package) for package in affected_packages_v2 |
There was a problem hiding this comment.
Would there be a chance that duped relations may be created from this ?
There was a problem hiding this comment.
No duplicate relation can be created, we use ignore_conflicts=True while bulk creating to ignore already existing relations.
Signed-off-by: Keshav Priyadarshi <git@keshav.space>