private void UpdateRangesOfPackageVulnerability(PackageVulnerability vulnerability, PackageVulnerability existingVulnerability, HashSet <Package> packagesToUpdate)
{
var rangeComparer = new RangeForSameVulnerabilityEqualityComparer();
// Check for updates in the existing version ranges of this vulnerability.
foreach (var existingRange in existingVulnerability.AffectedRanges.ToList())
{
var updatedRange = vulnerability.AffectedRanges
.SingleOrDefault(r => rangeComparer.Equals(existingRange, r));
if (updatedRange == null)
{
// Any ranges that are missing from the updated vulnerability need to be removed.
_logger.LogInformation(
"ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is no longer vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}",
existingRange.PackageId,
existingRange.PackageVersionRange,
vulnerability.GitHubDatabaseKey);
_entitiesContext.VulnerableRanges.Remove(existingRange);
existingVulnerability.AffectedRanges.Remove(existingRange);
packagesToUpdate.UnionWith(existingRange.Packages);
}
else
{
// Any range that had its first patched version updated needs to be updated.
if (existingRange.FirstPatchedPackageVersion != updatedRange.FirstPatchedPackageVersion)
{
existingRange.FirstPatchedPackageVersion = updatedRange.FirstPatchedPackageVersion;
packagesToUpdate.UnionWith(existingRange.Packages);
}
}
}
// Any new ranges in the updated vulnerability need to be added to the database.
var newRanges = vulnerability.AffectedRanges
.Except(existingVulnerability.AffectedRanges, rangeComparer)
.ToList();
foreach (var newRange in newRanges)
{
_logger.LogInformation(
"ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is now vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}",
newRange.PackageId,
newRange.PackageVersionRange,
vulnerability.GitHubDatabaseKey);
newRange.Vulnerability = existingVulnerability; // this needs to happen before we update _entitiesContext, otherwise index uniqueness conflicts occur
_entitiesContext.VulnerableRanges.Add(newRange);
existingVulnerability.AffectedRanges.Add(newRange);
ProcessNewVulnerabilityRange(newRange, packagesToUpdate);
}
}
private void UpdateRangesOfPackageVulnerability(PackageVulnerability vulnerability, PackageVulnerability existingVulnerability, HashSet <Package> packagesToUpdate)
{
// Any new ranges in the updated vulnerability need to be added to the database.
var rangeComparer = new RangeForSameVulnerabilityEqualityComparer();
var newRanges = vulnerability.AffectedRanges
.Except(existingVulnerability.AffectedRanges, rangeComparer)
.ToList();
_entitiesContext.VulnerableRanges.AddRange(newRanges);
foreach (var newRange in newRanges)
{
_logger.LogInformation(
"ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is now vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}",
newRange.PackageId,
newRange.PackageVersionRange,
vulnerability.GitHubDatabaseKey);
newRange.Vulnerability = existingVulnerability;
existingVulnerability.AffectedRanges.Add(newRange);
ProcessNewVulnerabilityRange(newRange, packagesToUpdate);
}
// Any ranges that are missing from the updated vulnerability need to be removed.
var missingRanges = existingVulnerability.AffectedRanges
.Except(vulnerability.AffectedRanges, rangeComparer)
.ToList();
_entitiesContext.VulnerableRanges.RemoveRange(missingRanges);
foreach (var missingRange in missingRanges)
{
_logger.LogInformation(
"ID {VulnerablePackageId} and version range {VulnerablePackageVersionRange} is no longer vulnerable to vulnerability with GitHub key {GitHubDatabaseKey}",
missingRange.PackageId,
missingRange.PackageVersionRange,
vulnerability.GitHubDatabaseKey);
existingVulnerability.AffectedRanges.Remove(missingRange);
packagesToUpdate.UnionWith(missingRange.Packages);
}
}
