API fixed_packages issues

[pombredanne]

from @tdruez

The current implementation of the fixed_packages on the package endpoint is not convient for the data consumer:

{
    'purl': 'pkg:npm/%40theia/plugin-ext@0.9.0-next.007f41ae',
    'affected_by_vulnerabilities': [{
        'summary': 'Insufficient Verification of Data Authenticity',
        'vulnerability_id': 'VULCOID-AWK',
     }],
    'fixed_packages': [{
        'fixing_vulnerabilities': [{
            'url': 'http://public.vulnerablecode.io/api/vulnerabilities/14132?format=json',
            'vulnerability_id': 'VULCOID-AWK',
        }],
        'purl': 'pkg:npm/%40theia/plugin-ext@1.18.0',
        'url': 'http://public.vulnerablecode.io/api/packages/136169?format=json',
    }],
}

To make use of this data, one has to reconcile both affected_by_vulnerabilities and fixed_packages data structure through the vulnerability_id.
This make the data hard to use for display.

A better way would be to include the fixed_packages in the affected_by_vulnerabilities data structure (which seems to be the current implementation on the vulnerabilities endpoint), such as:

{
    'purl': 'pkg:npm/%40theia/plugin-ext@0.9.0-next.007f41ae',
    'affected_by_vulnerabilities': [{
        'summary': 'Insufficient Verification of Data Authenticity',
        'vulnerability_id': 'VULCOID-AWK',
        'fixed_packages': [{
            'purl': 'pkg:npm/%40theia/plugin-ext@1.18.0',
            'url': 'http://public.vulnerablecode.io/api/packages/136169?format=json',
        }],
    }],
}

@TG1999 any thoughts on this?

[pombredanne]

This would be for a V2 of the API that will come in V31 milestone .... See also #810

[TG1999]

As per discussion with @tdruez we can have this change in this version of the API.