[FLORA-61] Start the data model for security advisories #762
Conversation
tchoutri
added
the
Hackathon
|
@MangoIV The standalone syntax for NFData does not work if the type does not implement Generic |
tchoutri
force-pushed
the
security-advisories-db-schema
branch
2 times, most recently
from
c98b332 to
3623a55
Compare
I mistook that for granted. |
tchoutri
force-pushed
the
security-advisories-db-schema
branch
4 times, most recently
from
83ebac9 to
7f19d24
Compare
tchoutri
changed the title
|
@TristanCacqueray @blackheaven @frasertweedale Please let me know what you think of this. For the moment I'm filing advisories of the GHC components (haddock included) in the |
There was a problem hiding this comment.
I had expected some place to asynchronously propagate a package to be affected to all its reverse dependencies, am I missing where that happens? Or is that a futurework?
I think the data model is fine etc. though.
With regards to actually using this, here's what I imagine:
- a new internal endpoint (or whatever mechanism you use) to invoke the download of the advisories)
- this spawns a process that starts to go through the advisories and for each of them, fetches the reverse deps which each gets a process itself that goes through their reverse deps
- to make sure that not too many processes are spawned, you can use a
QSem(quantity semaphore) which the processes block on if there's already enough of them chewing.
tchoutri
force-pushed
the
security-advisories-db-schema
branch
2 times, most recently
from
3087f97 to
6be5f6a
Compare
|
@MangoIV yes, the propagation of the information is the next PR, I just wanted to focus on the data model here. :) |
src/advisories/Advisories/Import.hs
Outdated
| Failure failures -> | ||
| throwError failures | ||
| Success advisories -> | ||
| forM_ advisories $ \advisory -> processAdvisory advisory |
There was a problem hiding this comment.
| forM_ advisories $ \advisory -> processAdvisory advisory | |
| mapM_ processAdvisory advisories |
There was a problem hiding this comment.
@blackheaven I'm interested in how I could become less coupled to hsec! :)
tchoutri
force-pushed
the
security-advisories-db-schema
branch
2 times, most recently
from
ed708a5 to
97426f4
Compare
tchoutri
force-pushed
the
security-advisories-db-schema
branch
2 times, most recently
from
676a8c3 to
3e40540
Compare
tchoutri
force-pushed
the
security-advisories-db-schema
branch
from
3e40540 to
29cd72d
Compare
tchoutri
added
merge me
Proposed changes
This PR introduces the initial data model for security advisories.
The database components are as follow:
security_advisories, which encode most of the metadata, and to where affected packages referaffected_packagesrepresent the packages affected by an advisory, pointing to the advisory. Affected packages have one or multiple affected version ranges associated.affected_version_rangesrepresent a link between an affected package, and the releases where the vulnerability is introduced and fixed.Linked
Contributor checklist
./docs/docsif a public feature has a behaviour change