Add DB Schema changes for ingesting OS package advisories

Goal

Prepare the license-db to ingest OS package advisories. The source of the advisories is the trivy-db-glad.

Store raw data in a single jsonb column.
Extract values needed to support UPSERTs, and store them in separate DB columns. These values are NOT removed from the raw JSON document. This is for indexing only.
Process the raw data during the export.

The ingestion is simple.
The export can evolve and leverage more fields w/o re-ingesting anything. For instance, in the future we could export YAML fields of the GLAD advisories we haven't leveraged so far. We wouldn't need to re-ingest any YAML file.
This makes the export complex, relative to the ingestion.

We need to introduce the following tables

This table contains all the advisories defined by the vulnerability bucket in the trivy-db.

id: is a PK. Just a sequential big int
cve_id: It will contain the vulnerability identifier as a string
last_updated: a timestamp that will be updated on any modification
advisory: a jsonb column that contains the vulnerability from the trivy-db as is. Without any modifications.

This table contains mapping of trivy-db vulnerabilities to OS packages. It also contains information about fixed versions.

id: A sequential big int PK
distro_name: the name of the distro. For example alpine
distro_version: the version of the distro. For example 3.1.
package_name: the name of the package. For example curl.
advisory_id: the id of the advisory. This field is a FK.
node_value: This value contains a json object containing one or more fields of the trivy-db Advisory struct. Usually OS packages have the FixedVersion field which is what we intent to support in the first iteration.

Unique constrain: the combination of distro_name, distro_version, package_name and advisory_id.

Edited Sep 21, 2023 by Nick Ilieskou