Add versions attribute to affected packages
What does this MR do and why?
Add support for the optional versions attribute used in the Gitlab Advisory Database to describe golang pseudoversions.
This is one of 2 migrations that are part of #417884 (closed)
- update the table and model
👈 - update package metadata ingestion
JSON Schema
The json schema was mostly copied from the GitLab Advisory Database https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/e0aa8fad76b3013e2afb5336e25ca618675f89a2/ci/schema/schema.json#L266-334
A few changes were made:
- update titles with somewhat cleaned up case
- adding limits (if they didn't exist) to ensure upper limit to what can be added to the database
-
#/properties/versions(set minItems/maxItems => 0/32) -
#/properties/versions/items/properties/number(set max char string in regex => 1/32) -
#/properties/versions/items/properties/commit/tags(set minItems/maxItems => 0/16) -
#/properties/versions/items/properties/commit/tags/items(set max char string in regex => 32)
-
These numbers come from running the script below against https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/tree/e0aa8fad76b3013e2afb5336e25ca618675f89a2/
$ ruby count-versions.rb
attr stats:
most_versions: {:max=>17, :where=>"go/github.com/kubernetes/kubernetes/CVE-2017-1002102.yml"}
longest_number: {:max=>28, :where=>"go/github.com/minio/minio/CVE-2020-11012.yml"}
most_tags: {:max=>5, :where=>"go/github.com/rancher/rancher/CVE-2021-4200.yml"}
longest_tag: {:max=>28, :where=>"go/github.com/minio/minio/CVE-2020-11012.yml"}
longest_sha: {:max=>40, :where=>"go/gopkg.in/yaml.v3/CVE-2022-3064.yml"}
longest_timestamp: {:max=>14, :where=>"go/gopkg.in/yaml.v3/CVE-2022-3064.yml"}
advisory stats for versions attribute
largest: 1189
mean: 110.54835680751174
median: 70Output of migrate
└─[$] bundle exec rake db:migrate:main [10:19:29]
main: == [advisory_lock_connection] object_id: 223940, pg_backend_pid: 9967
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrating ===========
main: -- add_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main: -> 0.0022s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrated (0.0058s) ==
└─[$] bundle exec rake db:migrate:down:main VERSION=20230724185321 [10:22:01]
main: == [advisory_lock_connection] object_id: 224520, pg_backend_pid: 10360
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: reverting ===========
main: -- remove_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main: -> 0.0017s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: reverted (0.0059s) ==
└─[$] bundle exec rake db:migrate:up:main VERSION=20230724185321 [10:22:26]
main: == [advisory_lock_connection] object_id: 223480, pg_backend_pid: 10830
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrating ===========
main: -- add_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main: -> 0.0022s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrated (0.0055s) ==MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #417884 (closed)