Spike: Should we import CVEs and affected packages in separate tables?

Topic to Evaluate

Right now the existing vulnerability_advisories table of the main database mixes two types of information:

generic information on the security advisory (AKA "CVE" though an advisory might not have a CVE id)
information on the affected package, like the package type and name

This matches the YAML schema of gemnasium-db.

However, another options would be to store the CVE and the (reference to the) affected package in two separate DB tables, like trivy-db does.

We should compare these two options. See &8025 (comment 1342700608)

The data exported by License DB should probably be organized accordingly, to facilitate the import into the Rails backend.

Tasks to Evaluate

Compare the two options, and consider the following aspects:

complexity
extensibility
storage
efficient of import (upserts)
efficient of scan (select)
possible collisions
data integrity

/cc @ifrenkel

Auto-Summary 🤖

Discoto Usage

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

#### POINT: This is a point

* point: This is a point

+ Point: This is a point

- pOINT: This is a point

point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

# Topic: Inline discussion topic 1

## TOPIC: **{+A Green, bolded topic+}**

### tOpIc: Another topic

Quick Actions

Action Description

/discuss sub-topic TITLE Create an issue for a sub-topic. Does not work in epics

/discuss link ISSUABLE-LINK Link an issuable as a child of this discussion

Action	Description
`/discuss sub-topic TITLE`	Create an issue for a sub-topic. Does not work in epics
`/discuss link ISSUABLE-LINK`	Link an issuable as a child of this discussion

Last updated by this job

TOPIC Single table #404996 (comment 1343767187)
- Redundant information, detrimental to storage #404996 (comment 1343767187)
- Exports has self-contained objects #404996 (comment 1343767187)
- Possible inconsistencies b/w redundant CVE details #404996 (comment 1343767187)
TOPIC Two tables #404996 (comment 1343782895)
- No redundant CVE details, saves storage #404996 (comment 1343782895)
- Possibility of broken ref to a CVE that hasn't been imported #404996 (comment 1343782895)
- Sync needs to be designed to avoid broken refs to CVEs #404996 (comment 1343782895)
- CVE details are consistent for all affected packages #404996 (comment 1343782895)
- CVE details cannot diverge from one package to another #404996 (comment 1343782895)
- No merge in the export #404996 (comment 1343782895)

Discoto Settings

---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.

Edited Apr 06, 2023 by Lucas Charles