-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change data models, to fix existing issues #206
Comments
I just watched few talks about database indexing and django, looking back at these models, they are not perfect considering the indexing(order in |
For VulnerabilityReference, IMHO each URL is a different URL... I do not see the value to use an arrayfield there. That's OK to have the same data with different URLs. And what about that :
and type could be any of the various cvss, a severity, or "other" |
Last time I checked https://github.com/intel/cve-bin-tool , they also used such a model with minor differences. I like the The only issues I have with this is
We could also get more sophisticated by populating the Last time we discussed about this issue, you also mentioned that we could get sophisticated by storing timestamps of when the scores were given, which is now possible thanks to @haikoschol 's |
@pombredanne re
The rationale behind using arrayfield is I want to have |
Regarding the proposed
Regarding the proposed IIRC, one issue that came up when implementing the new import mechanism was related to cascading deletes in Regarding #141: I'm not sure I understand the issue. What would be a concrete scenario that triggers it? Is it something like this:
If the data source supports detecting updates to existing advisories, it should work fine. If the data source does not support it, there is nothing we can do automatically, so have to rely on curations. |
Sure I didn't give it much thought , I want to have the big things right first.
The scenario described is perfect. Rather it actually happened a while ago when you discovered that wrong version range in safety-db |
I remember now, a while back I had posted something like this in chat This doesn't error out , but it should
This errors out fine,
So in the latter case, we were storing empty string in db, while the first case stored NULL in db. The first case creates duplicates. IMHO empty string seems better in this |
Ah, that's the reason for this behaviour. Makes sense and yet another reason to avoid |
we have to be consistent in all cases... @tdruez what's your take on the blank/null thing on Django fields? |
Here are my notes what our live discussion today:
|
@pombredanne https://docs.djangoproject.com/en/3.0/ref/models/fields/#null
|
Fixed finally via #259 |
Vulnerability model diff
Old Vulnerability model
New Vulnerability model
In the new
Vulnerability
model,cvss
which is a severity indicator, is removed, the reason being, every data source rates the same vulnerability differently, hence we need some additional context when talking about severity. Hence all severity related fields are moved toVulnerabilityReference
.I also felt moving
reference_ids
here makes more sense. We would want a way to avoid entries duplicate entries inreference_id
which I guess is possible, check https://stackoverflow.com/questions/49252135/how-to-save-arrayfield-as-set-in-djangoImpactedPackage
Note: We would delete
ResolvedPackage
and renameImpactedPackage
to something else. Since their exact funtionality can be mimicked by a more efficient boolean field. This will also reduce the number of db queriesOld ImpactedPackage
New ImpactedPackage
Note: This won't be called ImpactedPackage, please suggest a good name.
The
version_range
will contain mathematical comparator symbols like '<,>,=' , (This will also support complex ranges like>1.0.0, <9.8.10
basically anything thatdephell_range_specifier.RangeSpecifier
supports) . This is very useful in cases where the data sources don't provide concrete versions. In the cases where concrete versions are provided we can always haveversion_range= '='
.I haven't figured out how to solve #141, need help . Maybe adding
Importer
FK might help.VulnerabilityReference
Old VulnerabilityReference
New VulnerabilityReference
Lots of changes here. We have here a FK of Importer, which makes logical sense since different data sources will say different things about the same vulnerability(hence the new
unique_together
)Other changes include addtion of more severity indicators and using
pgfields.ArrayField
to storeurls
because we don't want to create aVulnerabilityReference
for each url with other fields having same data.Updated
Gets us closer to fix #18, #157, #140, #209 and allows us to collect data from any advisories which don't provide concrete versions(but provide version ranges)
The text was updated successfully, but these errors were encountered: