Closed drewgillies closed 4 years ago
This is by design. We need to harvest all nuget ranges and let them auto update. A hard package delete will ultimately result in an advisory update which can be ingressed in due course. This design decision doesn't affect the db as thought, as the attached issue is determined to have had another cause.
In this code: https://github.com/NuGet/NuGetGallery/blob/master/src/NuGetGallery/Services/PackageDeleteService.cs#L321 there is no removal of related vulnerability rows. Specifics:
VulnerablePackageVersionRangePackages
(the m:m table which connects Packages rows toVulnerablePackageVersionRanges
rows). This needs to be confirmed, but it seems to be the case, as we don't have orphaned rows occurring here.VulnerablePackageVersionRanges
no longer has any package/version rows in Packages associated with it by a row inVulnerablePackageVersionRangePackages
, it should be removed explicitly.PackageVulnerabilities
no longer has entries inVulnerablePackageVersionRanges
with links to it, it should be deleted explicitly. Having orphaned rows has resulted in ingress job fails (which can also be made more robust). If a package with vulnerabilities has been hard-deleted and is reintroduced into the database, the GitHub data can be re-polled as if it were a new package. /cc @xavierdecoster