Skip to content
This repository was archived by the owner on Jan 22, 2026. It is now read-only.

Commit e024f74

Browse files
andrewandrew
committed
Update database schema docs
1 parent d8ea903 commit e024f74

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

docs/schema.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,63 @@ Stores the complete dependency state at each commit that has changes. Enables O(
102102

103103
Indexes: `(commit_id, manifest_id, name)` (unique), `name`, `platform`
104104

105+
### packages
106+
107+
Tracks packages for vulnerability sync status.
108+
109+
| Column | Type | Description |
110+
|--------|------|-------------|
111+
| id | integer | Primary key |
112+
| purl | string | Package URL (e.g., "pkg:gem/rails") |
113+
| ecosystem | string | Package manager (e.g., "rubygems") |
114+
| name | string | Package name |
115+
| latest_version | string | Latest known version (optional) |
116+
| license | string | License identifier (optional) |
117+
| description | text | Package description (optional) |
118+
| homepage | string | Homepage URL (optional) |
119+
| repository_url | string | Source repository URL (optional) |
120+
| source | string | Data source (optional) |
121+
| enriched_at | datetime | When package metadata was enriched |
122+
| vulns_synced_at | datetime | When vulnerabilities were last synced from OSV |
123+
| created_at | datetime | |
124+
| updated_at | datetime | |
125+
126+
Indexes: `purl` (unique)
127+
128+
### vulnerabilities
129+
130+
Caches vulnerability data from OSV.
131+
132+
| Column | Type | Description |
133+
|--------|------|-------------|
134+
| id | string | Primary key (CVE-2024-1234, GHSA-xxxx, etc.) |
135+
| aliases | text | Comma-separated alternative IDs for the same vulnerability |
136+
| severity | string | critical, high, medium, or low |
137+
| cvss_score | float | CVSS numeric score (0.0-10.0) |
138+
| cvss_vector | string | Full CVSS vector string |
139+
| references | text | JSON array of {type, url} objects |
140+
| summary | text | Short description |
141+
| details | text | Full vulnerability details |
142+
| published_at | datetime | When the vulnerability was disclosed |
143+
| withdrawn_at | datetime | When the vulnerability was retracted (if ever) |
144+
| modified_at | datetime | When the OSV record was last modified |
145+
| fetched_at | datetime | When we last fetched from OSV |
146+
147+
### vulnerability_packages
148+
149+
Maps which packages are affected by each vulnerability.
150+
151+
| Column | Type | Description |
152+
|--------|------|-------------|
153+
| id | integer | Primary key |
154+
| vulnerability_id | string | Foreign key to vulnerabilities |
155+
| ecosystem | string | OSV ecosystem name (e.g., "RubyGems") |
156+
| package_name | string | Package name |
157+
| affected_versions | text | Version range expression (e.g., "<4.17.21") |
158+
| fixed_versions | text | Comma-separated list of fixed versions |
159+
160+
Indexes: `(ecosystem, package_name)`, `vulnerability_id`, `(vulnerability_id, ecosystem, package_name)` (unique)
161+
105162
## Relationships
106163

107164
```
@@ -112,4 +169,6 @@ branches ──┬── branch_commits ──┬── commits
112169
│ └── dependency_snapshots ── manifests
113170
114171
└── last_analyzed_sha (references commits.sha)
172+
173+
vulnerabilities ──── vulnerability_packages
115174
```

0 commit comments

Comments
 (0)