Fix the methods for finding vulnerable pacakge versions/callables in MetadataDao#433
Conversation
|
@mir-am It is not true that vulnerability metadata is no longer inserted into callables and package-versions. That still happens, but the inserted data is more limited than before. |
|
But it's still a good idea to use the vulnerability tables instead of the JSON metadata field. So this change LGTM. There are some build errors to be fixed, however. |
Thanks for looking into the PR. |
|
Sorry, I was not aware that the Jacoco version bump had an effect on the build, it was running locally and also on the Windows GitHub runner... the problem should be fixed now (see #435). |
42778db to
fdb91f0
Compare
|
@MagielBruntink, We've fixed the build error. Can I proceed with merging the PR? |
|
Go ahead! |
Description
Specifically, this PR makes changes to the
findVulnerablePackageVersionsandfindVulnerableCallablesmethods by using the introduced vulnerability tables in #316.Motivation and context
After the merge of #316, the
vulnerabilitiesfield is no longer stored in the metadata field of thepackage_versinsandcallables. Therefore, it is necessary to adapt the mentioned methods for finding vulnerable package versions/callables.Testing
Tested with several vulnerable package versions and callables using the production metadata DB.
Additional context
The method
findVulnerablePackageVersionsneeds this fix for the vulnerability chain finder here.