It was passing the display text to the sort function, not the
enum value, so only worked by accident. Refactor/rename things a
bit to make this more clear.
Also give the unknown/unprocessed state a higher priority, so it
shows up before the finished builds. Same for manual builds, since
they require user action.
It was sorted by change date before, which does not say when
something was merged but when it was commited.
At least for me, I want to see if there are any problems and what is
currently building when looking at the queue, and only then what already
is there. Might be different for other users.
Sort by the status priority instead. The priority is the same one used to
decide the most important build status to show in the list for the
different build types.
In case Arch and pypi both had the package we would prefer Arch.
While that helps in case Arch tries to keep older versions to keep
everything compatible, there are cases where things are outdated
in Arch and updates happend despite being in conflict,
so in reality we need to check ourselves anyway.
The "name" of the sbom components no longer contain the pkgbase
we can use to map vulns. Instead components now have one ore more
properties with the key "msys2:pkgbase" and the value being the pkgbase.
We keep package names unique, and if for some reason they wouldn't be
we show both packages on that page then.
Let's not add a query param to every URL for such an edge case.
We guarded in various places by whether vulns exist and then used
worst_vulnerability to select a color, but in case all are ignored
worst_vulnerability is None and things fail.
Introduce all_vulnerabilities/active_vulnerabilities/worst_active_vulnerability
properties and make sure that worst_active_vulnerability is always guarded
properly.
It'a a list of CVE IDs or GHSA IDs which whould be ignored.
In lists we still show them, but at the end and with strike through.
For picking the worst for the tooltip button color we ignore them.
On the security page, of all are ignored, the package is skipped.
In case the package has a anitya ID we use that, otherwise we
use the realname, which might not work or might show a list
of all matches, but better then nothing.
In case the version is an empty string it is considered newer by pacman
than for example "r123".
Instead make it optional and handle the None version everywhere.
Fixes#68
