Add advisory package metadata

Igor Frenkelrequested to merge
375302-update-vulnerability-advisories-table into master

What does this MR do and why?

Add tables and models to represent advisories for public registry packages.

2 tables are added to normalize the dataset:

  • pm_advisories store generic information about the advisory itself
  • pm_affected_packages store the packages affected by this advisory

MR structure

  • add new tables, models and constraints 👈 this MR
  • add more complex constraints and validation (on jsonb and array columns)
  • add new tables (the MR couldn't be broken down as above because jsonb column can't be added without json schema validation, so the above 2 points merged into one)
  • drop unused advisory tables (vulnerability_advisories, sbom_vulnerable_component_versions)
    • vulnerability_advisories split into the 2 tables in this MR
    • sbom_vulnerable_component_versions will not be used to store vulneable components

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #375302 (closed) and #406596 (closed)

Edited by Igor Frenkel

Merge request reports