feat: add support for an 'upstream' field in the models#3172
feat: add support for an 'upstream' field in the models#3172jess-lowe merged 20 commits intogoogle:masterfrom
Conversation
another-rex
left a comment
There was a problem hiding this comment.
Some minor code comments here, will discuss the rest in the design doc.
osv/models.py
Outdated
| @@ -762,7 +780,9 @@ def to_vulnerability(self, include_source=False, include_alias=True): | |||
| def to_vulnerability_async(self, include_source=False): | |||
There was a problem hiding this comment.
Do we want to add include_upstream and include_alias to the this function
osv/models.py
Outdated
| # Related IDs. | ||
| related: list[str] = ndb.StringProperty(repeated=True) | ||
| # Upstream IDs. | ||
| upstream: list[str] = ndb.StringProperty(repeated=True) |
There was a problem hiding this comment.
Please rename this to upstream_raw as described in the doc.
There was a problem hiding this comment.
Can you also expand the docstring above this to explain that this is upstream ids directly from the import and does not include any transitive upstreams.
osv/models.py
Outdated
|
|
||
|
|
||
| class UpstreamGroup(ndb.Model): | ||
| """Upstream group for storing transitive upstreams of a Bug""" |
There was a problem hiding this comment.
Can you expand the description here to explain why this is in a separate table rather than directly on the bug entry itself?
I.e. to prevent additional race conditions, by having it in a separate table only worker will modify Bug's directly.
This PR aims to prepare the models.py file to support the 'upstream' field to be introduced by ossf/osv-schema#312. Part of addressing google#3052 This will calculate all of the transitive upstream dependencies of a given CVE. Hierarchy will be calculated and determined by the frontend in a later PR.
This PR aims to prepare the models.py file to support the 'upstream' field to be introduced by ossf/osv-schema#312. Part of addressing #3052
This will calculate all of the transitive upstream dependencies of a given CVE. Hierarchy will be calculated and determined by the frontend in a later PR.