Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename PackageVulnerability's ReferenceUrl to AdvisoryUrl and make it required #7721

Merged
merged 3 commits into from
Dec 11, 2019
Merged

Rename PackageVulnerability's ReferenceUrl to AdvisoryUrl and make it required #7721

merged 3 commits into from
Dec 11, 2019

Conversation

xavierdecoster
Copy link
Member

@xavierdecoster xavierdecoster commented Dec 3, 2019
edited
Loading

The PackageVulnerability.ReferenceUrl field is mandatory and should be renamed to PackageVulnerability.AdvisoryUrl. The current db model assumes it is optional. We should enforce this restriction in the db model.

In addition, the protocol and ubiqituous language for this feature have been updated:

  • ReferenceUrl is actually an AdvisoryUrl (which points to a resource to learn more about the security advisory, which in turn may have references to e.g. NIST database)
  • As we don't use the SecurityAdvisoryReference data anywhere, we don't need to query these from GH's GraphQL API
  • The GH GraphQL API will be updated to include a new permalink field on the SecurityAdvisory object, but that's still a few months out. In the mean time, we can work-around it by using the permalink-format provided to us, which purposely was put into an extension method with a comment.

Addresses #7720

Rollout plan:

  • Disable GitHubVulnerabilities2Db job on DEV and INT
  • Apply EF migrations to NuGetGallery db on DEV and INT
  • Deploy patched GitHubVulnerabilties2Db job to DEV and INT

@xavierdecoster xavierdecoster added this to the S162 - 2019.11.18 milestone Dec 3, 2019
@xavierdecoster xavierdecoster self-assigned this Dec 3, 2019
@xavierdecoster xavierdecoster changed the title Make PackageVulnerability.ReferenceUrl required. Rename PackageVulnerability's ReferenceUrl to AdvisoryUrl and make it required Dec 5, 2019
joelverhagen
joelverhagen reviewed Dec 10, 2019
View reviewed changes
src/GitHubVulnerabilities2Db/Ingest/AdvisoryIngestor.cs
@@ -41,7 +41,7 @@ public async Task IngestAsync(IReadOnlyList<SecurityAdvisory> advisories)
{
GitHubDatabaseKey = advisory.DatabaseId,
Severity = (PackageVulnerabilitySeverity)Enum.Parse(typeof(PackageVulnerabilitySeverity), advisory.Severity, ignoreCase: true),
ReferenceUrl = advisory.References.FirstOrDefault()?.Url
AdvisoryUrl = advisory.GetPermalink()
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we persist the whole URL? Isn't this a view concern? Seems more flexible in the future to just persist what we know (GhsaId) and allow the caller to choose what to do with it (i.e. call another API, build a URL, etc).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could do both, if desired. Though the entity is meant to be GitHub-agnostic...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that both GhsaId and Permalink will be fields retrieved from the GH GraphQL API. I think we are only interested in the AdvisoryUrl, which is what we'll be surfacing in our own protocol and UI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I thought we already non-generic with GitHubDatabaseKey. Should the be "ExternalKey" instead?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah... I'm kinda wondering about the usefulness of that GitHubDatabaseKey...
It's the one thing GH guaranteed that wouldn't change. But the GraphQL API is using the GhsaId to query for a specific advisory.

See also this comment added by Scott when he modeled the entity.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it would come down to having some Provider column (in this case GitHub would be the value) so we can identify the source of the data, plus a generic external key. Or alternatively have the approach that Scott described of using a key per provider (see his comment).

@xavierdecoster xavierdecoster merged commit e7764bc into dev Dec 11, 2019
@xavierdecoster xavierdecoster deleted the dev-issue7720 branch December 11, 2019 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joelverhagen joelverhagen joelverhagen approved these changes

@ryuyu ryuyu ryuyu approved these changes

@scottbommarito scottbommarito scottbommarito approved these changes

@agr agr Awaiting requested review from agr

@loic-sharma loic-sharma Awaiting requested review from loic-sharma

@shishirx34 shishirx34 Awaiting requested review from shishirx34

@cristinamanum cristinamanum Awaiting requested review from cristinamanum

@skofman1 skofman1 Awaiting requested review from skofman1

@zhhyu zhhyu Awaiting requested review from zhhyu

@dannyjdev dannyjdev Awaiting requested review from dannyjdev

Assignees

@xavierdecoster xavierdecoster

Labels
Area: Data Integrity
Projects
None yet
Milestone
S163 - 2019.12.09
Development

Successfully merging this pull request may close these issues.
5 participants
@xavierdecoster @joelverhagen @ryuyu @skofman1 @scottbommarito