Skip to content

Add versions attribute to affected packages

Igor Frenkel requested to merge 417884-pm-add-affected-package-versions into master

What does this MR do and why?

Add support for the optional versions attribute used in the Gitlab Advisory Database to describe golang pseudoversions.

This is one of 2 migrations that are part of #417884 (closed)

  • update the table and model 👈
  • update package metadata ingestion

JSON Schema

The json schema was mostly copied from the GitLab Advisory Database https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/e0aa8fad76b3013e2afb5336e25ca618675f89a2/ci/schema/schema.json#L266-334

A few changes were made:

  • update titles with somewhat cleaned up case
  • adding limits (if they didn't exist) to ensure upper limit to what can be added to the database
    • #/properties/versions (set minItems/maxItems => 0/32)
    • #/properties/versions/items/properties/number (set max char string in regex => 1/32)
    • #/properties/versions/items/properties/commit/tags (set minItems/maxItems => 0/16)
    • #/properties/versions/items/properties/commit/tags/items (set max char string in regex => 32)

diff

These numbers come from running the script below against https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/tree/e0aa8fad76b3013e2afb5336e25ca618675f89a2/

$ ruby count-versions.rb

attr stats:
  most_versions: {:max=>17, :where=>"go/github.com/kubernetes/kubernetes/CVE-2017-1002102.yml"}
  longest_number: {:max=>28, :where=>"go/github.com/minio/minio/CVE-2020-11012.yml"}
  most_tags: {:max=>5, :where=>"go/github.com/rancher/rancher/CVE-2021-4200.yml"}
  longest_tag: {:max=>28, :where=>"go/github.com/minio/minio/CVE-2020-11012.yml"}
  longest_sha: {:max=>40, :where=>"go/gopkg.in/yaml.v3/CVE-2022-3064.yml"}
  longest_timestamp: {:max=>14, :where=>"go/gopkg.in/yaml.v3/CVE-2022-3064.yml"}
advisory stats for versions attribute
  largest: 1189
  mean: 110.54835680751174
  median: 70

count-versions.rb

Output of migrate

└─[$] bundle exec rake db:migrate:main                                                                                                                                                                                           [10:19:29]
main: == [advisory_lock_connection] object_id: 223940, pg_backend_pid: 9967
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrating ===========
main: -- add_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main:    -> 0.0022s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrated (0.0058s) ==

└─[$] bundle exec rake db:migrate:down:main VERSION=20230724185321                                                                                                                                                               [10:22:01]
main: == [advisory_lock_connection] object_id: 224520, pg_backend_pid: 10360
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: reverting ===========
main: -- remove_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main:    -> 0.0017s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: reverted (0.0059s) ==

└─[$] bundle exec rake db:migrate:up:main VERSION=20230724185321                                                                                                                                                                 [10:22:26]
main: == [advisory_lock_connection] object_id: 223480, pg_backend_pid: 10830
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrating ===========
main: -- add_column(:pm_affected_packages, :versions, :jsonb, {:default=>[], :null=>false})
main:    -> 0.0022s
main: == 20230724185321 PmAffectedPackagesAddVersionsAttribute: migrated (0.0055s) ==

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #417884 (closed)

Edited by Igor Frenkel

Merge request reports

Loading