feat: add support for an 'upstream' field in the models #3172
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jess-lowe
requested review from
a team and
hogo6002
and removed request for
a team
another-rex
reviewed
Feb 21, 2025
osv/models.py
Outdated
| @@ -762,7 +780,9 @@ def to_vulnerability(self, include_source=False, include_alias=True): | |||
| def to_vulnerability_async(self, include_source=False): | |||
There was a problem hiding this comment.
Do we want to add include_upstream and include_alias to the this function
hogo6002
reviewed
Feb 21, 2025
another-rex
reviewed
Feb 26, 2025
osv/models.py
Outdated
| @@ -259,6 +259,8 @@ class Bug(ndb.Model): | |||
| aliases: list[str] = ndb.StringProperty(repeated=True) | |||
| # Related IDs. | |||
| related: list[str] = ndb.StringProperty(repeated=True) | |||
| # Upstream IDs. | |||
| upstream: list[str] = ndb.StringProperty(repeated=True) | |||
There was a problem hiding this comment.
Please rename this to upstream_raw as described in the doc.
There was a problem hiding this comment.
Can you also expand the docstring above this to explain that this is upstream ids directly from the import and does not include any transitive upstreams.
osv/models.py
Outdated
| @@ -905,6 +934,16 @@ class AliasDenyListEntry(ndb.Model): | |||
| bug_id: str = ndb.StringProperty() | |||
|
|
|||
|
|
|||
| class UpstreamGroup(ndb.Model): | |||
| """Upstream group for storing transitive upstreams of a Bug""" | |||
There was a problem hiding this comment.
Can you expand the description here to explain why this is in a separate table rather than directly on the bug entry itself?
I.e. to prevent additional race conditions, by having it in a separate table only worker will modify Bug's directly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to prepare the models.py file to support the 'upstream' field to be introduced by ossf/osv-schema#312. Part of addressing #3052
This will calculate all of the transitive upstream dependencies of a given CVE. Hierarchy will be calculated and determined by the frontend in a later PR.