Open johnmhoran opened 1 year ago
@pombredanne @TG1999
(1) When we match fixed by packages to a particular affected package, do we want to match all of these attributes?
"name" "namespace" "type" "qualifiers" "subpath"
That's what we currently do in my pending Package UI/API issue PR 1249 (issue 1228).
(2) This question likely also applies to the results of a PURL search -- do you agree? For example, a search for pkg:deb/debian/jackson-databind@2.9.1-1?distro=sid
displays results that include non-matching qualifiers
:
In addition, this screenshot reflects the poor sorting AND the apparent existence in the DB of duplicate records. I can address the sorting in this issue, though I suspect the problem of duplicate records is more complex and not directly related and will need to be addressed in a separate issue. (See issue 1278, which I opened back in August.)
Note that in views.py
, in the PackageSearch
class, this docstring is not as precisely focused.
def get_queryset(self, query=None):
"""
Return a Package queryset for the ``query``.
Make a best effort approach to find matching packages either based
on exact purl, partial purl or just name and namespace.
"""
query = query or self.request.GET.get("search") or ""
return self.model.objects.search(query).with_vulnerability_counts().prefetch_related()
I see the same docstring in the search()
method of the PackageQuerySet()
class in models.py.
I take this to mean that we do want a broad and flexible search result in case the user submits an abbreviated search, e.g., a search for jackson-databind
will return maven
, deb
and rpm
packages. When we get to that issue, it will be interesting to see how we apply the univers RANGE_CLASS_BY_SCHEMES
to a group of potentially many different combos of type
, namespace
etc.
Meanwhile, please focus on my questions (1) and (2) above at your earliest opportunity.
We need to consolidate the
Fixed by packages
tab and theAffected packages
tab in theVulnerability details
page into a single tab with a table in which the rows contain relevant pairing of affected and fixed packages.