Make every green-check PR mergeable #225
Description
This is a bit of a brainstorming issue to improve the sustainability of this project. Up til now, I've been checking a few things in every PR, and we can automate many of them:
- Double-check that the matched projects make sense. This isn't automatable, but isn't too hard and it's pretty rare (and often obvious) that it goes wrong. An example where it did is Manually import advisories for glib-networking #189.
- Ensure GeneralMetadata doesn't have a version of
"*"on its oldest or newest registered version. This is fully automatable, and probably one of the bigger improvements we could make. - Ensure the versions themselves "make sense". Most commonly the problem here is that the version extraction finds a date or commit sha instead of a version number (in either the advisory or the download URL). This is more heuristic-y, but we could have the bot report information about Levenshtein distances or some such, even if it's not directly tied to a binary CI ✅. Detect and do something smart with git SHA ranges and dates #89
- Implement a mechanism to ignore/dismiss/reject upstream advisories #171
- Only propose updates to advisories when the upstream advisory has changed #170
- Automatically bound version ranges when a new non-vulnerable version is released #178