Collect existing fix commits for project-kb #1987
Conversation
Signed-off-by: ziad hany <[email protected]>
Add a test for the ProjectKB importer and collect fix commits pipeline. Signed-off-by: ziad hany <[email protected]>
ziadhany
requested review from
TG1999 and
keshav-space
and removed request for
keshav-space
| if not commit_id or not repo_url: | ||
| continue | ||
|
|
||
| commit_url = repo_url.replace(".git", "") + "/commit/" + commit_id |
There was a problem hiding this comment.
This path is only valid for GitHub repos, are we sure we only have GitHub repos in project kb advisory.
There was a problem hiding this comment.
Yes, Project KB Advisory is just one GitHub repository.
| advisories = AdvisoryV2.objects.filter(advisory_id__in=vuln_ids).prefetch_related( | ||
| "impacted_packages__affecting_packages" | ||
| ) |
There was a problem hiding this comment.
We do not want to merge the advisory info coming from different source.
| for impact in advisory.impacted_packages.all(): | ||
| for pkg in impact.affecting_packages.all(): | ||
| codefixes.append( | ||
| CodeFixV2( |
There was a problem hiding this comment.
IMHO we should treat this as an advisory and update impact_package model to hold the fixed and affecting commit.
There was a problem hiding this comment.
The main issue is how to relate a fix commit to an impacted package.
A large portion of existing fix commit databases only provide the CVE-XXXX, the Git commit, and the repository.
IMHO, we should have an advisory, but the code fix should be considered as a reference URL, with an optional relation to the impacted packages. Since we don't know which version or package (purl) is going to be impacted by this commit.
2 participants
Uh oh!
There was an error while loading. Please reload this page.