Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for vulnerability data to entities model #6875
Add support for vulnerability data to entities model #6875
Changes from 4 commits
322aeb3
2327fc5
c6e9f00
64a0f78
aaba622
85baa9d
7a6773f
795c369
5a952a3
4eba158
e9458ac
e797780
901cdfd
02b7dbd
07c2157
3cb51f2
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have we verified that when
PackageDeprecation
is deleted, it deletes the corresponding rows in thePackageDeprecationCVE
/PackageDeprecationCWE
s tables?CVE
/CWE
is deleted, it deletes the corresponding rows in thePackageDeprecationCVE
/PackageDeprecationCWE
s tables?Or is this not the behavior we want to have?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a key insight.
This is quite important because we need to understand what to do when a CVE/CWE is not longer present in the data source or if some "delete" signal is presented to us. I think the easiest approach is to mandate that CVE/CWEs are never deleted. If this is already the case in the data source, then we're fine. Otherwise, we need to verify that it's okay for us to keep a deleted CVE/CWE in our database forever.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can assume these ID's are never hard-deleted, although I couldn't find an official statement on that.
In general, MITRE will maintain CWE as long as it serves the community to do so.
As for CVE IDs, these will be marked with a "reject" state and the "description" field will be labeled as such in the data source, according to this source.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verified delete behavior:
PackageDeprecation
, it properly deletes the corresponding rows in thePackageDeprecationCwe
andPackageDeprecationCve
tables, but doesn't delete theCWE
orCVE
record.CVE
orCWE
, it properly deletes the corresponding rows in thePackageDeprecationCwe
andPackageDeprecationCve
tables, but doesn't delete thePackageDeprecation
record.However, we should never delete
CVE
orCWE
records (adding aStatus
column to those entities for when a CVE/CWE gets rejected after publication, so we can filter them out).Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.