vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Re-design Package to Vulnerability model relationships

Open pombredanne opened this issue 3 years ago • 2 comments

The current models is that a Package is related to Vulnerability through a generic PackageRelatedVulnerability relationship with a fix attribute

  • https://github.com/nexB/vulnerablecode/blob/40a39743f385bd5b6dfa3424bc72231fe1ae7456/vulnerabilities/models.py#L491

  • https://github.com/nexB/vulnerablecode/blob/40a39743f385bd5b6dfa3424bc72231fe1ae7456/vulnerabilities/models.py#L584

  • https://github.com/nexB/vulnerablecode/blob/40a39743f385bd5b6dfa3424bc72231fe1ae7456/vulnerabilities/models.py#L614

This approach is problematic and not obvious. It makes queries more complex and slower.

We should instead evolve the models towards separate AffectedPackages and FixingPackage or something along these lines to be designed.

See these related issues:

  • #715
  • #966
  • #727
  • #595

pombredanne avatar Jan 06 '23 10:01 pombredanne

@pombredanne

It makes queries more complex

We could possibly avoid that by some abstraction as proposed in https://github.com/nexB/vulnerablecode/issues/595

and slower

Slower than ... ?

Hritik14 avatar Jan 07 '23 00:01 Hritik14

As per discussion during call:

A fix is more complex than just a package. It can be much more than that. Fixes can come in terms of fix commits, individual patches etc @pombredanne

Hritik14 avatar Jan 17 '23 16:01 Hritik14