You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to minimize changes for v6, there was not much changed between Vulnerability and VulnerabilityMetadata: FindVulnerabilities returns Vulnerability objects, and these are later used to fetch VulnerabilityMetadata. I believe the reason for this split was to help performance in v5 databases, where a list of vulnerabilities was returned prior to any filtering, including version filtering. This can be an expensive and unnecessary process to hydrate these with data from the database, since many queries were returning hundreds of records only to have them filtered out due to version constraints that don't match and hydrating all the data for these vulnerabilities including the metadata can be expensive, especially when there are thousands of packages returning hundreds of vulnerabilities each. However, v6 optimizes fetching in some different ways, and I believe it should simply fill out the VulnerabilityMetadata on returned Vulnerabilities as the last step before returning them, since this data is almost always used later -- it's the only way to get a severity, for example, which I think is used by every output format. We could both simplify the VulnerabilityProvider interface and make the code more robust since it doesn't have to look up metadata later, potentially returning nothing -- a process that requires metadata would simply be able to access this on the vulnerability directly. I believe this change could also allow us to remove the Internal field on the vulnerability Reference object, since we wouldn't need to do further lookups in the database.
The text was updated successfully, but these errors were encountered:
In order to minimize changes for v6, there was not much changed between Vulnerability and VulnerabilityMetadata:
FindVulnerabilitiesreturnsVulnerabilityobjects, and these are later used to fetchVulnerabilityMetadata. I believe the reason for this split was to help performance in v5 databases, where a list of vulnerabilities was returned prior to any filtering, including version filtering. This can be an expensive and unnecessary process to hydrate these with data from the database, since many queries were returning hundreds of records only to have them filtered out due to version constraints that don't match and hydrating all the data for these vulnerabilities including the metadata can be expensive, especially when there are thousands of packages returning hundreds of vulnerabilities each. However, v6 optimizes fetching in some different ways, and I believe it should simply fill out theVulnerabilityMetadataon returnedVulnerabilitiesas the last step before returning them, since this data is almost always used later -- it's the only way to get a severity, for example, which I think is used by every output format. We could both simplify the VulnerabilityProvider interface and make the code more robust since it doesn't have to look up metadata later, potentially returning nothing -- a process that requires metadata would simply be able to access this on the vulnerability directly. I believe this change could also allow us to remove the Internal field on the vulnerability Reference object, since we wouldn't need to do further lookups in the database.The text was updated successfully, but these errors were encountered: