See merge request !21

This reverts cb0d588e (importers: import-apkindex: mark packages as
unpublished before importing an apkindex, 2021-04-22).

The goal of having packages unpublished is that fixes should only be
published as soon as the package is available on the mirrors, not when
the commit has been made.

Once a fix has been published, there should be no reason anymore to
unpublish it, resulting it being invislble.

The expected flow after this change is:

1. import-secfixes creates a new package_version if it does not exist
   yet, and `published` defaults to False.
2. import-apkindex will set `published` to True for each package in the
   index.

So this means once `publshed` is set to True, it will never be set to
`False` anymore.

One issue that still remains is that when a secfix is published for an
older version of the package, it will never be published, since that
version no longer exists in the apkindex.

See merge request !20

This reverts cb0d588e (importers: import-apkindex: mark packages as
unpublished before importing an apkindex, 2021-04-22).

The goal of having packages unpublished is that fixes should only be
published as soon as the package is available on the mirrors, not when
the commit has been made.

Once a fix has been published, there should be no reason anymore to
unpublish it, resulting it being invislble.

The expected flow after this change is:

1. import-secfixes creates a new package_version if it does not exist
   yet, and `published` defaults to False.
2. import-apkindex will set `published` to True for each package in the
   index.

So this means once `publshed` is set to True, it will never be set to
`False` anymore.

One issue that still remains is that when a secfix is published for an
older version of the package, it will never be published, since that
version no longer exists in the apkindex.

See merge request !19

This imported extracts data from the
[vulnrichment](https://github.com/cisagov/vulnrichment) project provided
by CISA.

The NVD feed is for the time being not providing the data required to
match vulnerabilities to packages, so we need an additional source.

See merge request !18

This imported extracts data from the
[vulnrichment](https://github.com/cisagov/vulnrichment) project provided
by CISA.

The NVD feed is for the time being not providing the data required to
match vulnerabilities to packages, so we need an additional source.

The feeds that we are currently using will no longer be provided
starting from 2023-12-15, and we need to start using the new API
provided by the NVD.

This new API no longer has seperate feeds for each year and a recent
feed. Instead a new [API][0] is provided that you can request
vulnerabilities from, optionally with some filter.

Fixes #14

[0]:https://nvd.nist.gov/developers/vulnerabilities

See merge request alpine/security/secfixes-tracker!17

The feeds that we are currently using will no longer be provided
starting from 2023-12-15, and we need to start using the new API
provided by the NVD.

This new API no longer has seperate feeds for each year and a recent
feed. Instead a new [API][0] is provided that you can request
vulnerabilities from, optionally with some filter.

Fixes #14

[0]:https://nvd.nist.gov/developers/vulnerabilities

Application factory pattern makes it easier to add tests

Add a .flaskenv so we don't depend on exported env var

See merge request !16

remove unused create_app
import current_app from flask

and fix exit status when no SECFIXES_REPOSITORIES are configured

Use a common client in conftest.py
Use 'text/html' as parameter

fixes #13

test Vulnerability and VulnerabilityReference classes

So we can set up a test database in memory

Application factory pattern makes it easier to add tests

Add a .flaskenv so we don't depend on exported env var