Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backend: Fix duplicate reference urls(#343) #408

Closed
wants to merge 2 commits into from

Conversation

savish28
Copy link
Contributor

Fix: #343.

The following changes are been proposed in this PR:

  • Saving URLs in canonical form ('http://foo.com/?b=2&a=1&d=3' -> 'http://foo.com/?a=1&b=2&d=3'
  • If provided url is http but we already have the url with https we ignore the http url.
  • If provided url is https but we already have the url with http we replace the http url with https one

Signed-off-by: savish <savishbedi1@gmail.com>
@savish28
Copy link
Contributor Author

@sbs2001 ping. Could you please review the PR.

@sbs2001
Copy link
Collaborator

sbs2001 commented Mar 31, 2021

@savish28 I'm not really sure how much of impact this is going to have on the db side things, since we are doing more queries per save. The imports are already slow enough.

So here's what I suggest. Keep the url normalization part in the save method. The scheme thing, should be moved into a separate job/command, https://docs.djangoproject.com/en/3.1/howto/custom-management-commands/ .

Copy link
Collaborator

@sbs2001 sbs2001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@savish28 as mentioned in the comment, keep the url normalization in the save method.

Move scheme inference thing t management command

@@ -110,6 +111,38 @@ class VulnerabilityReference(models.Model):
def scores(self):
return VulnerabilitySeverity.objects.filter(reference=self.id)

def save(self, *args, **kwargs):
if self.id:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean any update would go through straight ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sbs2001 Yes. Because whenever we add a new object we might need to update a previously saved object and if we don't do this it might go into an infinite loop.

Comment on lines +118 to +119
url_parsed = urlpy.parse(self.url)
self.url = str(url_parsed.canonical())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this handle the case where self.url=None ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or self.url=""

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the code. It returned "/" for the same but keeping "" for "" would make more sense so updated the changes.

self.url = str(url_parsed.canonical())
url_scheme = url_parsed.scheme
scheme_independent_url = self.url[len(url_scheme) :]
if url_scheme == "http":
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block should be broken down into a separate function.

).first()
if not similar_instance:
super(VulnerabilityReference, self).save(*args, **kwargs)
elif url_scheme == "https":
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, This block should be broken down into a separate function.

).first()
if similar_instance:
similar_instance.url = self.url
similar_instance.save()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return similar_instance.save() would be better here for readability

similar_instance.url = self.url
similar_instance.save()
else:
super(VulnerabilityReference, self).save(*args, **kwargs)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a return here

else:
super(VulnerabilityReference, self).save(*args, **kwargs)
else:
super(VulnerabilityReference, self).save(*args, **kwargs)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, for the computers it doesn't make difference, but when reading I don't have to verify whether the return value is correct.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@savish28 I'm not really sure how much of impact this is going to have on the db side things, since we are doing more queries per save. The imports are already slow enough.

So here's what I suggest. Keep the url normalization part in the save method. The scheme thing, should be moved into a separate job/command, https://docs.djangoproject.com/en/3.1/howto/custom-management-commands/ .

@sbs2001 So, a nice idea, Does this mean that the command/job python manage.py job_name have to be called explicitly by the admin to run the following job and it would go through all the entries and it would update the db. I think it can be extended in two ways:-

  1. If no arguments are passed then all the entries are looked upon and are checked.
  2. If arguments like id/Vulnerability/source etc are passed and only filtered objects are processed.

I think that in this case, each run would cost O(N) queries and would not be automated.

But in the save method update, it would cost 1 extra query per update and would be automated. So I think query wise the override save method is more time-efficient and more automated.

What would be your suggestion in the case and if we are going with the job idea, does the proposed method would work?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@savish28

called explicitly by the admin

We could get clever by running the job after each import, so this is a non-issue, I guess.

  1. If no arguments are passed then all the entries are looked upon and are checked.
  1. If arguments like id/Vulnerability/source etc are passed and only filtered objects are processed.

Btw I want to remove the source thing when I get time :) it's not populated anywhere and is a bad way to keep track of source(s) . With that out of the way, what would be the use case of (2) ? In almost all cases (1) would be used.

each run would cost O(N) queries

IMHO that can be done 1 + (no of duplicates) . One query to fetch all references (just the id and url columns) . Iterate over all records from server side, check for dups in the already fetched records. If a dup is found follow the procedure along the lines of what you're doing here, so that's gonna cost 1 DELETE query per dup.

Dups are rare anyways so it won't be O(N) .

it would cost 1 extra query per update

IMHO that'd be 1 extra query per insert/ (save method invocation in most cases )

Copy link
Contributor Author

@savish28 savish28 Mar 31, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh okay, I get the idea. We are importing all the data and then doing this job. This would result in more efficiency rather than doing operation at each save.

So I guess these are the deliverables now,

  • Create Job for removing duplicates.
  • Add functionality to run the job after each import.
    Does this seem right? @sbs2001

Signed-off-by: savish <savishbedi1@gmail.com>
@sbs2001
Copy link
Collaborator

sbs2001 commented Mar 31, 2021

@savish28 I just realized there's a third way to do this which would be even better.

Let's move your logic in a wrapper method like _get_or_create_keep_secure (this a bad name, need to discuss this more). We don't use save method explicitly anyways. https://github.com/nexB/vulnerablecode/blob/dfb1ab5558c597240573988cb981b498f98a964c/vulnerabilities/import_runner.py#L127 that's where refs get created. A get_or_create results in 2 queries, we can replace that with _get_or_create_keep_secure .Your logic is essentially create_keep_secure part, need to implement the get part .

So as far as queries are concerned _get_or_create_keep_secure would atmost require 2 queries which is same as that of get_or_create.

@sbs2001
Copy link
Collaborator

sbs2001 commented Apr 22, 2021

@savish28 ping :)

@pombredanne
Copy link
Member

@savish28 gentle ping.

@pombredanne
Copy link
Member

@savish28 do you think you want to complete and bring this to a mergeable state?
Otherwise we may close for now and you can reopen later.

@savish28
Copy link
Contributor Author

@savish28 do you think you want to complete and bring this to a mergeable state?
Otherwise we may close for now and you can reopen later.

@pombredanne Sure, closing this PR for now.

@savish28 savish28 closed this Jul 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Deal with duplicate reference urls
3 participants