search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
520 stars 190 forks source link

Consolidate 'Fixed by packages' tab and 'Affected packages' tab in Vulnerability details page #1287

Open johnmhoran opened 1 year ago

johnmhoran commented 1 year ago

We need to consolidate the Fixed by packages tab and the Affected packages tab in the Vulnerability details page into a single tab with a table in which the rows contain relevant pairing of affected and fixed packages.

johnmhoran commented 11 months ago

@pombredanne @TG1999

(1) When we match fixed by packages to a particular affected package, do we want to match all of these attributes?

"name" "namespace" "type" "qualifiers" "subpath"

That's what we currently do in my pending Package UI/API issue PR 1249 (issue 1228).

(2) This question likely also applies to the results of a PURL search -- do you agree? For example, a search for pkg:deb/debian/jackson-databind@2.9.1-1?distro=sid displays results that include non-matching qualifiers:

image

In addition, this screenshot reflects the poor sorting AND the apparent existence in the DB of duplicate records. I can address the sorting in this issue, though I suspect the problem of duplicate records is more complex and not directly related and will need to be addressed in a separate issue. (See issue 1278, which I opened back in August.)

johnmhoran commented 11 months ago

Note that in views.py, in the PackageSearch class, this docstring is not as precisely focused.

    def get_queryset(self, query=None):
        """
        Return a Package queryset for the ``query``.
        Make a best effort approach to find matching packages either based
        on exact purl, partial purl or just name and namespace.
        """
        query = query or self.request.GET.get("search") or ""
        return self.model.objects.search(query).with_vulnerability_counts().prefetch_related()
johnmhoran commented 11 months ago

I see the same docstring in the search() method of the PackageQuerySet() class in models.py.

I take this to mean that we do want a broad and flexible search result in case the user submits an abbreviated search, e.g., a search for jackson-databind will return maven, deb and rpm packages. When we get to that issue, it will be interesting to see how we apply the univers RANGE_CLASS_BY_SCHEMES to a group of potentially many different combos of type, namespace etc.

Meanwhile, please focus on my questions (1) and (2) above at your earliest opportunity.