From 084d57cd64a33b62dfde8fd9d1a49a5c0d6f13a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Choutri=20de=20Tarl=C3=A9?= Date: Sat, 16 Nov 2024 23:44:08 +0100 Subject: [PATCH] Store affected version ranges by version instead of release ID This allows for greater flexiblity when it comes to declared versions that do not appear in the affected package repository --- ...4081932_create_affected_version_ranges.sql | 8 +++---- ...116223018_add_index_on_release_version.sql | 1 + src/advisories/Advisories/Import.hs | 24 ++++--------------- .../Advisories/Model/Affected/Types.hs | 7 +++--- 4 files changed, 12 insertions(+), 28 deletions(-) create mode 100644 migrations/20241116223018_add_index_on_release_version.sql diff --git a/migrations/20241014081932_create_affected_version_ranges.sql b/migrations/20241014081932_create_affected_version_ranges.sql index 90f08086..8fa6b489 100644 --- a/migrations/20241014081932_create_affected_version_ranges.sql +++ b/migrations/20241014081932_create_affected_version_ranges.sql @@ -1,15 +1,15 @@ CREATE TABLE IF NOT EXISTS affected_version_ranges ( affected_version_id uuid PRIMARY KEY , affected_package_id uuid REFERENCES affected_packages NOT NULL - , introduced_version uuid REFERENCES releases (release_id) NOT NULL - , fixed_version uuid REFERENCES releases (release_id) + , introduced_version int[] NOT NULL + , fixed_version int[] ); CREATE INDEX affected_version_ranges_affected_package_id_fkey ON affected_version_ranges (affected_package_id); -CREATE INDEX affected_version_ranges_introduced_version_fkey +CREATE INDEX affected_version_ranges_introduced_version ON affected_version_ranges (introduced_version); -CREATE INDEX affected_version_ranges_fixed_version_fkey +CREATE INDEX affected_version_ranges_fixed_version ON affected_version_ranges (fixed_version); diff --git a/migrations/20241116223018_add_index_on_release_version.sql b/migrations/20241116223018_add_index_on_release_version.sql new file mode 100644 index 00000000..b53c3c51 --- /dev/null +++ b/migrations/20241116223018_add_index_on_release_version.sql @@ -0,0 +1 @@ +CREATE INDEX ON releases (version); diff --git a/src/advisories/Advisories/Import.hs b/src/advisories/Advisories/Import.hs index 11ec54ce..cd254102 100644 --- a/src/advisories/Advisories/Import.hs +++ b/src/advisories/Advisories/Import.hs @@ -25,8 +25,6 @@ import Advisories.Model.Affected.Update qualified as Update import Flora.Import.Package import Flora.Model.Package.Guard (guardThatPackageExists) import Flora.Model.Package.Types -import Flora.Model.Release.Guard (guardThatReleaseExists) -import Flora.Model.Release.Types import OSV.Reference.Orphans -- | List deduplicated parsed Advisories @@ -131,40 +129,26 @@ processAffectedPackage advisoryId affected = do , declarations = declarations } Update.insertAffectedPackage affectedPackageDAO - processAffectedVersionRanges affectedPackageId package.packageId affected.affectedVersions + processAffectedVersionRanges affectedPackageId affected.affectedVersions processAffectedVersionRanges :: ( IOE :> es , DB :> es - , Trace :> es - , Error (NonEmpty AdvisoryImportError) :> es ) => AffectedPackageId - -> PackageId -> [AffectedVersionRange] -> Eff es () -processAffectedVersionRanges affectedPackageId packageId affectedVersions = do +processAffectedVersionRanges affectedPackageId affectedVersions = do traverse_ ( \affectedVersion -> do affectedVersionId <- AffectedVersionId <$> liftIO UUID.nextRandom - introducedReleaseId <- do - release <- guardThatReleaseExists packageId affectedVersion.affectedVersionRangeIntroduced $ \version -> - throwError (NonEmpty.singleton $ AffectedVersionNotFound packageId version) - pure release.releaseId - mFixedReleaseId <- case affectedVersion.affectedVersionRangeFixed of - Nothing -> pure Nothing - Just version -> do - release <- guardThatReleaseExists packageId version $ \releaseVersion -> - throwError (NonEmpty.singleton $ AffectedVersionNotFound packageId releaseVersion) - pure $ Just release.releaseId let versionRangeDAO = AffectedVersionRangeDAO { affectedVersionId = affectedVersionId , affectedPackageId = affectedPackageId - , introducedVersion = introducedReleaseId - , fixedVersion = mFixedReleaseId + , introducedVersion = affectedVersion.affectedVersionRangeIntroduced + , fixedVersion = affectedVersion.affectedVersionRangeFixed } - Update.insertAffectedVersionRange versionRangeDAO ) affectedVersions diff --git a/src/advisories/Advisories/Model/Affected/Types.hs b/src/advisories/Advisories/Model/Affected/Types.hs index 7350a715..30dbe316 100644 --- a/src/advisories/Advisories/Model/Affected/Types.hs +++ b/src/advisories/Advisories/Model/Affected/Types.hs @@ -10,7 +10,7 @@ import Database.PostgreSQL.Simple (FromRow, ToRow) import Database.PostgreSQL.Simple.FromField import Database.PostgreSQL.Simple.Newtypes import Database.PostgreSQL.Simple.ToField -import Distribution.Types.VersionRange (VersionRange) +import Distribution.Version import GHC.Generics import Security.Advisories.Core.Advisory import Security.CVSS (CVSS) @@ -22,7 +22,6 @@ import Advisories.System.Orphans () import Distribution.Orphans.ConfVar () import Distribution.Orphans.Version () import Flora.Model.Package.Types -import Flora.Model.Release.Types newtype AffectedPackageId = AffectedPackageId {getAffectedPackageId :: UUID} deriving stock (Generic, Show) @@ -65,8 +64,8 @@ newtype AffectedVersionId = AffectedVersionId {getAffectedVersionId :: UUID} data AffectedVersionRangeDAO = AffectedVersionRangeDAO { affectedVersionId :: AffectedVersionId , affectedPackageId :: AffectedPackageId - , introducedVersion :: ReleaseId - , fixedVersion :: Maybe ReleaseId + , introducedVersion :: Version + , fixedVersion :: Maybe Version } deriving stock (Show, Generic) deriving anyclass (FromRow, ToRow, NFData)