Include affected platforms in stored vulnerability data

[haikoschol]

Some security issues only affect certain platform (as in operating systems, Linux distributions, etc.) The data model should include this information and allow querying for it to avoid false positives. The natural way to include this on the query side is with a platform qualifier on the package URL.

Here is an example of a vulnerability in a Rust crate that only affects Windows: https://github.com/RustSec/advisory-db/blob/master/crates/hyper/RUSTSEC-2016-0002.toml

[sbs2001]

This will be fixed, once we use JSONField for storing a purl's qualifiers right?

[haikoschol]

@sbs2001 I had completely forgotten about that plan. In some of the importers I merged as part of #123 I already included qualifiers. I'm not sure what implications that has for querying. I think we should still switch to a JSONField.

[sbs2001]

Coincidently, I was trying to do exactly that today, had the debian importer running for awhile ,which didn't finish due to powercut :( . I will try that once again.

[sbs2001]

Not working, it is storing the qualifiers as a single json string ie "distro=stretch" instead we want it be like {'distro':'stretch'}

[sbs2001]

Can be fixed easily in https://github.com/package-url/packageurl-python/blob/00b7df61173be3c19eb65ce166271aed0e9ae00c/src/packageurl/contrib/django_models.py#L123 by setting encode=False or not mentioning encode at all in PackageURL.to_dict()