Hard package deletes don't remove vulnerability data from gallery db

[drewgillies]

In this code: https://github.com/NuGet/NuGetGallery/blob/master/src/NuGetGallery/Services/PackageDeleteService.cs#L321 there is no removal of related vulnerability rows. Specifics:

• There is a potential cascading delete of rows in VulnerablePackageVersionRangePackages (the m:m table which connects Packages rows to VulnerablePackageVersionRanges rows). This needs to be confirmed, but it seems to be the case, as we don't have orphaned rows occurring here.
• If a row in VulnerablePackageVersionRanges no longer has any package/version rows in Packages associated with it by a row in VulnerablePackageVersionRangePackages, it should be removed explicitly.
• If a row in PackageVulnerabilities no longer has entries in VulnerablePackageVersionRanges with links to it, it should be deleted explicitly. Having orphaned rows has resulted in ingress job fails (which can also be made more robust). If a package with vulnerabilities has been hard-deleted and is reintroduced into the database, the GitHub data can be re-polled as if it were a new package. /cc @xavierdecoster

[drewgillies]

This is by design. We need to harvest all nuget ranges and let them auto update. A hard package delete will ultimately result in an advisory update which can be ingressed in due course. This design decision doesn't affect the db as thought, as the attached issue is determined to have had another cause.