private void UpdateRangesOfPackageVulnerability(PackageVulnerability vulnerability, PackageVulnerability existingVulnerability, HashSet <Package> packagesToUpdate) { var rangeComparer = new RangeForSameVulnerabilityEqualityComparer(); // Check for updates in the existing version ranges of this vulnerability. foreach (var existingRange in existingVulnerability.AffectedRanges.ToList()) { var updatedRange = vulnerability.AffectedRanges .SingleOrDefault(r => rangeComparer.Equals(existingRange, r)); if (updatedRange == null) { // Any ranges that are missing from the updated vulnerability need to be removed. _logger.LogInformation( "ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is no longer vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}", existingRange.PackageId, existingRange.PackageVersionRange, vulnerability.GitHubDatabaseKey); _entitiesContext.VulnerableRanges.Remove(existingRange); existingVulnerability.AffectedRanges.Remove(existingRange); packagesToUpdate.UnionWith(existingRange.Packages); } else { // Any range that had its first patched version updated needs to be updated. if (existingRange.FirstPatchedPackageVersion != updatedRange.FirstPatchedPackageVersion) { existingRange.FirstPatchedPackageVersion = updatedRange.FirstPatchedPackageVersion; packagesToUpdate.UnionWith(existingRange.Packages); } } } // Any new ranges in the updated vulnerability need to be added to the database. var newRanges = vulnerability.AffectedRanges .Except(existingVulnerability.AffectedRanges, rangeComparer) .ToList(); foreach (var newRange in newRanges) { _logger.LogInformation( "ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is now vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}", newRange.PackageId, newRange.PackageVersionRange, vulnerability.GitHubDatabaseKey); newRange.Vulnerability = existingVulnerability; // this needs to happen before we update _entitiesContext, otherwise index uniqueness conflicts occur _entitiesContext.VulnerableRanges.Add(newRange); existingVulnerability.AffectedRanges.Add(newRange); ProcessNewVulnerabilityRange(newRange, packagesToUpdate); } }
private void UpdateRangesOfPackageVulnerability(PackageVulnerability vulnerability, PackageVulnerability existingVulnerability, HashSet <Package> packagesToUpdate) { // Any new ranges in the updated vulnerability need to be added to the database. var rangeComparer = new RangeForSameVulnerabilityEqualityComparer(); var newRanges = vulnerability.AffectedRanges .Except(existingVulnerability.AffectedRanges, rangeComparer) .ToList(); _entitiesContext.VulnerableRanges.AddRange(newRanges); foreach (var newRange in newRanges) { _logger.LogInformation( "ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is now vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}", newRange.PackageId, newRange.PackageVersionRange, vulnerability.GitHubDatabaseKey); newRange.Vulnerability = existingVulnerability; existingVulnerability.AffectedRanges.Add(newRange); ProcessNewVulnerabilityRange(newRange, packagesToUpdate); } // Any ranges that are missing from the updated vulnerability need to be removed. var missingRanges = existingVulnerability.AffectedRanges .Except(vulnerability.AffectedRanges, rangeComparer) .ToList(); _entitiesContext.VulnerableRanges.RemoveRange(missingRanges); foreach (var missingRange in missingRanges) { _logger.LogInformation( "ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is no longer vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}", missingRange.PackageId, missingRange.PackageVersionRange, vulnerability.GitHubDatabaseKey); existingVulnerability.AffectedRanges.Remove(missingRange); packagesToUpdate.UnionWith(missingRange.Packages); } }