Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix the methods for finding vulnerable pacakge versions/callables in MetadataDao #433

Merged
merged 3 commits into from
Mar 28, 2022
Merged

Fix the methods for finding vulnerable pacakge versions/callables in MetadataDao #433

merged 3 commits into from
Mar 28, 2022

Conversation

mir-am
Copy link
Contributor

@mir-am mir-am commented Mar 25, 2022
edited
Loading

Description

Specifically, this PR makes changes to the findVulnerablePackageVersions and findVulnerableCallables methods by using the introduced vulnerability tables in #316.

Motivation and context

After the merge of #316, the vulnerabilities field is no longer stored in the metadata field of the package_versins and callables. Therefore, it is necessary to adapt the mentioned methods for finding vulnerable package versions/callables.

Testing

Tested with several vulnerable package versions and callables using the production metadata DB.

Additional context

The method findVulnerablePackageVersions needs this fix for the vulnerability chain finder here.

@mir-am mir-am added the bug Something isn't working label Mar 25, 2022
@mir-am mir-am self-assigned this Mar 25, 2022
@mir-am mir-am mentioned this pull request Mar 28, 2022
Open
@mir-am mir-am requested a review from MagielBruntink March 28, 2022 09:42
@MagielBruntink
Copy link
Member

@mir-am It is not true that vulnerability metadata is no longer inserted into callables and package-versions. That still happens, but the inserted data is more limited than before.

@MagielBruntink
Copy link
Member

But it's still a good idea to use the vulnerability tables instead of the JSON metadata field. So this change LGTM. There are some build errors to be fixed, however.

@mir-am
Copy link
Contributor Author

mir-am commented Mar 28, 2022

But it's still a good idea to use the vulnerability tables instead of the JSON metadata field. So this change LGTM. There are some build errors to be fixed, however.

Thanks for looking into the PR.
The build errors happened after 789cb6d. It is unrelated to this PR. Maybe @proksch knows how to fix the build error.

@proksch
Copy link
Contributor

proksch commented Mar 28, 2022

Sorry, I was not aware that the Jacoco version bump had an effect on the build, it was running locally and also on the Windows GitHub runner... the problem should be fixed now (see #435).

@mir-am mir-am force-pushed the fix-find-vuln-metadata branch from 42778db to fdb91f0 Compare March 28, 2022 16:56
@mir-am
Copy link
Contributor Author

mir-am commented Mar 28, 2022

@MagielBruntink, We've fixed the build error. Can I proceed with merging the PR?

@MagielBruntink
Copy link
Member

Go ahead!

@mir-am mir-am merged commit ccdf119 into develop Mar 28, 2022
@mir-am mir-am deleted the fix-find-vuln-metadata branch March 28, 2022 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MagielBruntink MagielBruntink Awaiting requested review from MagielBruntink

Assignees

@mir-am mir-am

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mir-am @MagielBruntink @proksch