nexB
Add new model to store code fixes
IMO we should treat fix commit data as advisory, but special advisory. As brought up by @keshav-space we can accomodate the changes in impacted package data model as well. Thanks!
Originally posted by @TG1999 in #1721
I agree with that we should treat fix commits as advisory and may be avoid creating Codefixv2 entries directly relying on the CollectFixCommitsPipeline to create a Codefixv2 and associate them with the impacted package data model.
but this will limit our abilities to detect/store fix commit that is no related to any aliases as some developer just fix a vulnerabilities without creating a CVE but I think this is out of scope for now, especially since many of these cases are false positives.
IMO we should start with simple pipeline that parse git logs from key repositories linux / django
using regular expression searching for CVE-xx, GHSA-xx or XSA-xx and store them as advisory with some references
For example:
- https://github.com/torvalds/linux/commit/51ac8893a7a51b196501164e645583bf78138699
- https://github.com/django/django/commit/0b42f6a528df966729b24ecaaed67f85e5edc3dc
this will generate a really interested fix commits we are really missing vulnerablecode
-
we will introduce a new model
CodeCommit/PacakgeCommit/VCSCommit, it will have attributes mandatory ( commit hash, vcs url )
optional ( commit rank , commit author , commit date , commit message ) unique ( commit hash, vcs url ) -
associate this new model with impacted-packages model ( affecting commits , fixed_by_commits )
@ziadhany also moving forward, we will store code fixes data in AdvisoryV2 Model, and use Impacted Packages to store and reference commits.
