feat(nvd): improve ranges to include metadata in db_specific of CPE used to extract it#5103
Merged
jess-lowe merged 42 commits intogoogle:masterfrom Apr 9, 2026
Merged
Conversation
another-rex
reviewed
Mar 23, 2026
another-rex
reviewed
Mar 23, 2026
jess-lowe
force-pushed
the
feat/nvd/rebasing-db
branch
from
a808360 to
7d30cdf
Compare
another-rex
previously approved these changes
Mar 25, 2026
another-rex
reviewed
Apr 7, 2026
Contributor
another-rex
left a comment
another-rex
left a comment
There was a problem hiding this comment.
Nice! There's a lot of logic here, I tried my best.
|
|
||
| // Check if the repo URL has changed (e.g. via redirect) | ||
| canonicalRepo, err := ValidateAndCanonicalizeLink(repo, httpClient) | ||
| canonicalRepo, err := git.FindCanonicalLink(repo, httpClient, repoTagsCache) |
Contributor
There was a problem hiding this comment.
Here you are passing in repoTagsCache directly (and FindCanonicalLink doesn't check if it's nil or not), but below you are checking whether repoTagsCache is nil. If it cannot be nil here, please remove the nil checks below.
| if err != nil { | ||
| return "", err | ||
| } | ||
| cache.SetCanonicalLink(link, canonicalLink) |
Contributor
There was a problem hiding this comment.
Should this be caching errors as well to avoid retrying links that error?
| // If the reference is a commit URL, the repo is inherently useful (but only if the repo still ultimately works). | ||
| _, err = Commit(ref.URL) | ||
| // Check if it was previously found to be bad: | ||
| if repoTagsCache != nil && repoTagsCache.IsInvalid(repo) { |
Contributor
There was a problem hiding this comment.
Do we want to also call this before the FindCanonicalLink so that we can skip a network request if we know it's bad?
Also, this is checking if repoTagsCache is nil again, when would this happen?
This comment was marked as spam.
This comment was marked as spam.
another-rex
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces various updates for handling NVD and CVE databases, specifically related to the location of range metadata in database_specific, and parsing and cache improvements.
Range & Affected Parsing (NVD & CVE5):
introducedversion equalslessThanOrEqual(meaning it’s a specific version, not a range).MergeRangesAndCreateAffectedlogic to a common package for reuse.RangeWithMetadatastruct to hold unresolved ranges and where they were extracted from, so they can be put in the database_specific.CVE5 Interoperability:
RangeWithMetadatato be consistent across records.References & Links: