Enhance code commit collection capabilities for VCIO #2022
Description
- For VCS URLs that can be formed into PURLs as of today, (github, bitbucket anf gitlab). We will support them for code commit collection
- For the types that we don't support, we will not create CodeCommits for them today, instead store them as references for now as a fallback
- We will also log these kind of commits
- We will have an improver that takes references with the advisories associated and tries to create valid code commits
- Later when improve our parsing capabilities in url2purl for various VCS URL types, this improver will handle the rest
- We will also store the commit diffs in our models
fixed_by_commits = [CommitV2(commit_hash="abcd", vcs_url="github/...")]
affected_commits = [CommitV2(commit_hash="abcd", vcs_url="github/...")]
affected_packages = [ AffectedPackageV2( package=purl, fixed_by_commits=fixed_commits, affected_by_commits=affected_commits, ) ]
yield AdvisoryData( aliases=[vuln_id], affected_packages=[affected_packages], references=sorted(references), date_published=date_published, url=self.data_url, )
- This is the valid design
- We will introduce, fixed_by_commits, introduced_by_commits
- And for an affectedPackage dataclass object to be valid, it needs to have either of one affected_by_commits, fixed_by_commits, affecting_range or fixed_by_range.
Reference: