search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
528 stars 199 forks source link

Re-design Package to Vulnerability model relationships #1068

Open pombredanne opened 1 year ago

pombredanne commented 1 year ago

The current models is that a Package is related to Vulnerability through a generic PackageRelatedVulnerability relationship with a fix attribute

This approach is problematic and not obvious. It makes queries more complex and slower.

We should instead evolve the models towards separate AffectedPackages and FixingPackage or something along these lines to be designed.

See these related issues:

Hritik14 commented 1 year ago

@pombredanne

It makes queries more complex

We could possibly avoid that by some abstraction as proposed in https://github.com/nexB/vulnerablecode/issues/595

and slower

Slower than ... ?

Hritik14 commented 1 year ago

As per discussion during call:

A fix is more complex than just a package. It can be much more than that. Fixes can come in terms of fix commits, individual patches etc @pombredanne