draft - Vendor and Product management in vulnerability-lookup

[adulau]

Following #78 (maybe this is required before closing the other issue) and discussions, here are some ideas for implementing vendor/product management in vulnerability-lookup:

• A new data model would be created to support vendor creation.
• A vendor contains the following fields:
  • Vendor name (required)
  • Vendor long name
  • Website
  • Country
  • Updated date
• A vendor can have one or more vendor namespaces and one or more product namespaces attached.
• A point of contact (email/URL) can be added to a vendor.

Initial (and regular) import of vendors in vulnerability-lookup:

• If the vendor table is empty, we use the vendor name from all CPEs and create the corresponding vendor.
• For each corresponding vendor, we populate the vendor name with the known CPE and add the product names from the CPE.
• If the vendor table is not empty, we could trigger a regular update based on the CPE import.

[cedricbonhomme]

https://github.com/package-url/vers-spec/issues/9

[adulau]

It was implemented and released in the latest version, except for the regular import, which is more relevant for the CIRCL vulnerability instance to support the creation of an alternative CPE dataset. I'll close the issue for now and may update it later.