Skip to content
Snippets Groups Projects
  • Jamie Tanna's avatar
    60847228
    Introduce Advisories to track arbitrary package advisories · 60847228
    Jamie Tanna authored and Jamie Tanna's avatar Jamie Tanna committed
    As a way to provide a better means to annotate certain dependencies with
    information about why the package(s), or certain versions of a package
    must not be used, we can introduce the concept of Advisories.
    
    This produces a new table, `advisories`, that can be used to insert
    arbitrary advisories for package, such as "this package is no longer
    maintained" or "don't use this because of a security vulnerability".
    
    We can add a `db generate advisory` subcommand which can pre-seed with
    some community-provided package advisories, as an example of what can be
    done.
    
    We can use a more complicated query to perform this lookup using a
    `case / when` which allows us to perform more logic inside our query to
    look up the data, instead of performing the lookup in Go code.
    
    This uses an enum-style approach inside the database schema to provide a
    bit more control over the entries, as this is more likely to have custom
    SQL executed against it, so we want to make sure that we're not
    going to end up with out-of-sync data.
    
    Unfortunately sqlc seems to be unhappy when using multiple `INSERT`s, so
    we need to execute the query manually.
    
    Closes #45.
    60847228
    History
    Introduce Advisories to track arbitrary package advisories
    Jamie Tanna authored and Jamie Tanna's avatar Jamie Tanna committed
    As a way to provide a better means to annotate certain dependencies with
    information about why the package(s), or certain versions of a package
    must not be used, we can introduce the concept of Advisories.
    
    This produces a new table, `advisories`, that can be used to insert
    arbitrary advisories for package, such as "this package is no longer
    maintained" or "don't use this because of a security vulnerability".
    
    We can add a `db generate advisory` subcommand which can pre-seed with
    some community-provided package advisories, as an example of what can be
    done.
    
    We can use a more complicated query to perform this lookup using a
    `case / when` which allows us to perform more logic inside our query to
    look up the data, instead of performing the lookup in Go code.
    
    This uses an enum-style approach inside the database schema to provide a
    bit more control over the entries, as this is more likely to have custom
    SQL executed against it, so we want to make sure that we're not
    going to end up with out-of-sync data.
    
    Unfortunately sqlc seems to be unhappy when using multiple `INSERT`s, so
    we need to execute the query manually.
    
    Closes #45.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
version_match.go 504 B
package advisory

// VersionMatchStrategy defines how the Advisory.Version, if present, should be compared lexicographically with a CurrentVersion
type VersionMatchStrategy = string

const (
	VersionMatchStrategyAny              = "ANY"
	VersionMatchStrategyEquals           = "EQUALS"
	VersionMatchStrategyLessThan         = "LESS_THAN"
	VersionMatchStrategyLessOrEqualTo    = "LESS_EQUAL"
	VersionMatchStrategyGreaterThan      = "GREATER_THAN"
	VersionMatchStrategyGreaterOrEqualTo = "GREATER_EQUAL"
)