Skip to content

Conversation

@michaelehab
Copy link
Collaborator

Solves #1936

  • Update NPM importer to filter and process advisories relevant to the purl passed in the constructor
  • Update NPM v2 importer to filter and process advisories relevant to the purl passed in the constructor
  • Update NPM importer tests to test package-first mode
  • Update NPM v2 importer tests to test package-first mode

@michaelehab michaelehab requested review from TG1999 and keshav-space and removed request for TG1999 July 12, 2025 09:23
@michaelehab michaelehab self-assigned this Jul 13, 2025
@classmethod
def steps(cls):
return (
return [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this change ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be a tuple as well to maintain code consistency. I will change this.

advisory_files = filtered_files

for advisory in list(advisory_files):
for result in self.to_advisory_data(advisory):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we are not using yield from here ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean?

for advisory in list(advisory_files):
   yield from self.to_advisory_data(advisory)

advisory_files = list(vuln_directory.glob("*.json"))

if not self.is_batch_run:
package_name = self.purl.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we not actually check in our DB if the purl exists, before even checking all files ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does that guarantee that we won't find new advisories if we have the purl in DB?
As far as I understand, in order to find out whether we have new advisories, we have to check all files.

* Add NPM Live V2 Importer

* Add tests for the NPM Live V2 Importer

* Tested functionally using the Live Evaluation API in #1969

Signed-off-by: Michael Ehab Mikhail <[email protected]>
@michaelehab michaelehab force-pushed the 1936-npm-importer-package-first branch from 5267b18 to d803c6a Compare August 18, 2025 14:55
@michaelehab michaelehab changed the title Modify NPM importer to support package-first mode Add NPM Live Importer V2 Aug 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants