Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the "Add Package" process on the Package Vulnerabilities tab #14

Closed
DennisClark opened this issue Dec 8, 2023 · 4 comments · Fixed by #47
Closed

Improve the "Add Package" process on the Package Vulnerabilities tab #14

DennisClark opened this issue Dec 8, 2023 · 4 comments · Fixed by #47
Labels
design needed Design details needed to complete the issue enhancement New feature or request HighPriority High Priority integration Integration with other applications vulnerabilities Vulnerability Management
Milestone
DejaCode 5.1

Comments

@DennisClark
Copy link
Member

When you view the Vulnerabilities tab of a Package (see example screenshot) it presents the purl(s) of Fixed package(s) when available. If the Fixed package is not define in your dataspace, it activates a + icon to enable an "Add Package" process, which currently presents the Add Package form with only the available purl fields populated. An improved process would do the following (or something better and equivalent):

  • Use the purl to search the PurlDB (the one integrated with the current DejaCode Dataspace) for a match and, if found, fetch the data of the PurlDB entry to populate the Add Package form.
  • If no Download URL is available, attempt to infer it from the available data.
  • Initiate a scan when the new package is saved.

This improved process takes advantage of available integrations (VCIO, SCIO) and data resources when adding a new Package to DejaCode.

Example Package Vulnerabilities tab
@DennisClark DennisClark added enhancement New feature or request vulnerabilities Vulnerability Management design needed Design details needed to complete the issue integration Integration with other applications labels Dec 8, 2023
@DennisClark DennisClark added this to the DejaCode 5.1 milestone Dec 8, 2023
@DennisClark DennisClark added the HighPriority High Priority label Dec 12, 2023
@DennisClark DennisClark added the Top Priority (Max 3 per Release) Focus for a release label Jan 4, 2024
@tdruez tdruez changed the title Imrove the "Add Package" process on the Package Vulnerabilities tab Improve the "Add Package" process on the Package Vulnerabilities tab Feb 12, 2024
tdruez added a commit that referenced this issue Feb 12, 2024
@tdruez
Lookup in PurlDB by purl in Add Package #14
c8869a0 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Feb 12, 2024
@tdruez
Generate Download URL from purl in Add package #14
4335fa1 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez tdruez mentioned this issue Feb 12, 2024
Merged
tdruez added a commit that referenced this issue Feb 12, 2024
@tdruez
Add message on top of the form about the PurlDB fetch #14
b5a4667 
Signed-off-by: tdruez <tdruez@nexb.com>
@DennisClark
Copy link
Member Author

nice message: Info: Initial data fetched from PurlDB.

@DennisClark
Copy link
Member Author

Package Integration with PurlDB
When viewing the Vulnerabilities tab of a vulnerable package, if a Fixed package is not defined in your dataspace, DejaCode activates a + icon to enable an "Add Package" process, which is now enhanced to query the PurlDB to get package details already available there.

@DennisClark
Copy link
Member Author

@tdruez everything looks good in Staging Starship, thanks.

@DennisClark
Copy link
Member Author

Final comment: this is a great improvement!

tdruez added a commit that referenced this issue Feb 12, 2024
@tdruez
Add unit test for new fetch initial from PurlDB #14
cc203b1 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez tdruez removed the Top Priority (Max 3 per Release) Focus for a release label Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design needed Design details needed to complete the issue enhancement New feature or request HighPriority High Priority integration Integration with other applications vulnerabilities Vulnerability Management
Projects
None yet
Milestone
DejaCode 5.1
Development

Successfully merging a pull request may close this issue.

Lookup in PurlDB by purl in Add Package aboutcode-org/dejacode
2 participants
@tdruez @DennisClark