Store affected version ranges by version instead of release ID (#791)

This allows for greater flexiblity when it comes to declared versions
that do not appear in the affected package repository

migrations/20241014081932_create_affected_version_ranges.sql

@@ -1,15 +1,15 @@
 CREATE TABLE IF NOT EXISTS affected_version_ranges (
     affected_version_id uuid PRIMARY KEY
   , affected_package_id uuid REFERENCES affected_packages NOT NULL
-  , introduced_version uuid REFERENCES releases (release_id) NOT NULL
-  , fixed_version uuid REFERENCES releases (release_id)
+  , introduced_version int[] NOT NULL
+  , fixed_version int[]
 );
 
 CREATE INDEX affected_version_ranges_affected_package_id_fkey
   ON affected_version_ranges (affected_package_id);
 
-CREATE INDEX affected_version_ranges_introduced_version_fkey
+CREATE INDEX affected_version_ranges_introduced_version
   ON affected_version_ranges (introduced_version);
 
-CREATE INDEX affected_version_ranges_fixed_version_fkey
+CREATE INDEX affected_version_ranges_fixed_version
   ON affected_version_ranges (fixed_version);

migrations/20241116223018_add_index_on_release_version.sql

@@ -0,0 +1 @@
+CREATE INDEX ON releases (version);

src/advisories/Advisories/Import.hs

@@ -25,8 +25,6 @@ import Advisories.Model.Affected.Update qualified as Update
 import Flora.Import.Package
 import Flora.Model.Package.Guard (guardThatPackageExists)
 import Flora.Model.Package.Types
-import Flora.Model.Release.Guard (guardThatReleaseExists)
-import Flora.Model.Release.Types
 import OSV.Reference.Orphans
 
 -- | List deduplicated parsed Advisories
@@ -131,40 +129,26 @@ processAffectedPackage advisoryId affected = do
           , declarations = declarations
           }
   Update.insertAffectedPackage affectedPackageDAO
-  processAffectedVersionRanges affectedPackageId package.packageId affected.affectedVersions
+  processAffectedVersionRanges affectedPackageId affected.affectedVersions
 
 processAffectedVersionRanges
   :: ( IOE :> es
      , DB :> es
-     , Trace :> es
-     , Error (NonEmpty AdvisoryImportError) :> es
      )
   => AffectedPackageId
-  -> PackageId
   -> [AffectedVersionRange]
   -> Eff es ()
-processAffectedVersionRanges affectedPackageId packageId affectedVersions = do
+processAffectedVersionRanges affectedPackageId affectedVersions = do
   traverse_
     ( \affectedVersion -> do
         affectedVersionId <- AffectedVersionId <$> liftIO UUID.nextRandom
-        introducedReleaseId <- do
-          release <- guardThatReleaseExists packageId affectedVersion.affectedVersionRangeIntroduced $ \version ->
-            throwError (NonEmpty.singleton $ AffectedVersionNotFound packageId version)
-          pure release.releaseId
-        mFixedReleaseId <- case affectedVersion.affectedVersionRangeFixed of
-          Nothing -> pure Nothing
-          Just version -> do
-            release <- guardThatReleaseExists packageId version $ \releaseVersion ->
-              throwError (NonEmpty.singleton $ AffectedVersionNotFound packageId releaseVersion)
-            pure $ Just release.releaseId
         let versionRangeDAO =
               AffectedVersionRangeDAO
                 { affectedVersionId = affectedVersionId
                 , affectedPackageId = affectedPackageId
-                , introducedVersion = introducedReleaseId
-                , fixedVersion = mFixedReleaseId
+                , introducedVersion = affectedVersion.affectedVersionRangeIntroduced
+                , fixedVersion = affectedVersion.affectedVersionRangeFixed
                 }
-
         Update.insertAffectedVersionRange versionRangeDAO
     )
     affectedVersions

src/advisories/Advisories/Model/Affected/Types.hs

@@ -10,7 +10,7 @@ import Database.PostgreSQL.Simple (FromRow, ToRow)
 import Database.PostgreSQL.Simple.FromField
 import Database.PostgreSQL.Simple.Newtypes
 import Database.PostgreSQL.Simple.ToField
-import Distribution.Types.VersionRange (VersionRange)
+import Distribution.Version
 import GHC.Generics
 import Security.Advisories.Core.Advisory
 import Security.CVSS (CVSS)
@@ -22,7 +22,6 @@ import Advisories.System.Orphans ()
 import Distribution.Orphans.ConfVar ()
 import Distribution.Orphans.Version ()
 import Flora.Model.Package.Types
-import Flora.Model.Release.Types
 
 newtype AffectedPackageId = AffectedPackageId {getAffectedPackageId :: UUID}
   deriving stock (Generic, Show)
@@ -65,8 +64,8 @@ newtype AffectedVersionId = AffectedVersionId {getAffectedVersionId :: UUID}
 data AffectedVersionRangeDAO = AffectedVersionRangeDAO
   { affectedVersionId :: AffectedVersionId
   , affectedPackageId :: AffectedPackageId
-  , introducedVersion :: ReleaseId
-  , fixedVersion :: Maybe ReleaseId
+  , introducedVersion :: Version
+  , fixedVersion :: Maybe Version
   }
   deriving stock (Show, Generic)
   deriving anyclass (FromRow, ToRow, NFData)