-
Notifications
You must be signed in to change notification settings - Fork 644
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[nonGallery] Ingest withdrawn data in GitHub GraphQL #8544
Conversation
nextAdvisory.UpdatedAt = advisory.UpdatedAt; | ||
nextAdvisory.WithdrawnAt = advisory.WithdrawnAt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this cause a vulnerability to stop showing up on PackageDetails page? V3 feed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's right. It's a deletion in the db.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The deletion in the DB will flow to V3 only if the package edit time gets updated (as far as I know). Will it be?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes--withdrawn advisories (and I've just sanity-tested this) enter the remove side of this block, and any package added to this collection will have its lastedited time updated:
NuGetGallery/src/NuGetGallery.Services/PackageManagement/PackageVulnerabilitiesManagementService.cs
Line 159 in 280f083
packagesToUpdate.UnionWith(vulnerablePackages); |
dea91d7
to
4cb4bed
Compare
Addresses: #8474
All of the logic exists in the service and UTs for processing the withdrawn field, but it needs to be added to the query.
Note that there are no withdrawn advisories for NuGet packages at this time, but we need this in place.