Design on disk storage structure for packages and vulnerabilties data #3
Description
See the attached zip for a design discussed with @ziadhany and @TG1999
federatedcode-data-structure.zip
The approach would be to have separate trees/repos for package metadata and vulnerabilities metadata, and have a cross reference from packages to vulns in packages and the other way in vulnerabilities.
The file tree would be looking more or less this way:
./aboutcode-vulnerabilities-1223
./aboutcode-vulnerabilities-1223/3434
./aboutcode-vulnerabilities-1223/3434/VCID-1223-3434-34343
./aboutcode-vulnerabilities-1223/3434/VCID-1223-3434-34343/advisories
./aboutcode-vulnerabilities-1223/3434/VCID-1223-3434-34343/VCID-1223-3434-34343.yml
./aboutcode-packages-ed5
./aboutcode-packages-ed5/maven
./aboutcode-packages-ed5/maven/org.apache.log4j
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.4
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/vulnerabilities.yml
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/ossf-scorecard
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/ossf-scorecard/scorecard.json
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/spdx
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/cyclonedx
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/scancode-toolkit
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/scancode-toolkit/scancode-toolkit-scan.json
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/clearlydefined-curation
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/vulnerabilities.yml
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/osselot
./aboutcode-packages-ed5/maven/org.apache.log4j/log4j-core/versions/1.2.3/osselot/osselot-spdx.json
Metadata
Metadata
Assignees
Labels
No labels