Merge branch 'main' into feat/enhance-advisory-grouping

Author: Dhirenderchoudhary

aboutcode/federated/__init__.py

@@ -1028,7 +1028,7 @@ def large_size_configs(cls):
             "mlflow": 16,
             "pub": 16,
             "rpm": 16,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1069,7 +1069,7 @@ def medium_size_configs(cls):
             "mlflow": 8,
             "pub": 8,
             "rpm": 8,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1110,7 +1110,7 @@ def small_size_configs(cls):
             "mlflow": 4,
             "pub": 4,
             "rpm": 4,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1181,7 +1181,7 @@ def cluster_preset():
         DataCluster(
             data_kind="security_advisories",
             description="VulnerableCode security advisories for each package version.",
-            datafile_path_template="{/namespace}/{name}/{version}/advisories.json",
+            datafile_path_template="{/namespace}/{name}/{version}/advisories.yml",
             purl_type_configs=[PurlTypeConfig.default_config()],
             data_schema_url="",
             documentation_url="",

aboutcode/federated/tests/test_data/all-presets/foo/aboutcode-federated-config.yml

@@ -933,7 +933,7 @@ data_clusters:
     data_license: CC-BY-4.0
     data_maintainers: []
   - data_kind: security_advisories
-    datafile_path_template: '{/namespace}/{name}/{version}/advisories.json'
+    datafile_path_template: '{/namespace}/{name}/{version}/advisories.yml'
     purl_type_configs:
       - purl_type: default
         number_of_repos: 1

docs/source/conf.py

@@ -40,6 +40,7 @@
     "https://nvd.nist.gov/products/cpe",
     "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
     "http://ftp.suse.com/pub/projects/security/yaml/",
+    r"https://nixos\.wiki/",  # NixOS wiki blocks CI bots with 403
 ]
 
 # Add any Sphinx extension module names here, as strings. They can be

vulnerabilities/importers/__init__.py

@@ -55,6 +55,7 @@
 )
 from vulnerabilities.pipelines.v2_importers import epss_importer_v2
 from vulnerabilities.pipelines.v2_importers import fireeye_importer_v2
+from vulnerabilities.pipelines.v2_importers import gentoo_importer as gentoo_importer_v2
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
@@ -110,6 +111,7 @@
         project_kb_msr2019_importer_v2.ProjectKBMSR2019Pipeline,
         ruby_importer_v2.RubyImporterPipeline,
         epss_importer_v2.EPSSImporterPipeline,
+        gentoo_importer_v2.GentooImporterPipeline,
         nginx_importer_v2.NginxImporterPipeline,
         debian_importer_v2.DebianImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,

vulnerabilities/importers/fireeye.py

@@ -112,7 +112,7 @@ def matcher_url(ref) -> str:
     """
     Returns URL of the reference markup from reference url in Markdown format
     """
-    markup_regex = "\[([^\[]+)]\(\s*(http[s]?://.+)\s*\)"
+    markup_regex = r"\[([^\[]+)]\(\s*(http[s]?://.+)\s*\)"
     matched_markup = re.findall(markup_regex, ref)
     if matched_markup:
         return matched_markup[0][1]

vulnerabilities/importers/gentoo.py

@@ -6,8 +6,7 @@
 # See https://github.com/aboutcode-org/vulnerablecode for support or download.
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
-
-
+import logging
 import re
 import xml.etree.ElementTree as ET
 from pathlib import Path
@@ -17,12 +16,15 @@
 from univers.version_constraint import VersionConstraint
 from univers.version_range import EbuildVersionRange
 from univers.versions import GentooVersion
+from univers.versions import InvalidVersion
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
 
+logger = logging.getLogger(__name__)
+
 
 class GentooImporter(Importer):
     repo_url = "git+https://anongit.gentoo.org/git/data/glsa.git"
@@ -104,14 +106,20 @@ def affected_and_safe_purls(affected_elem):
             safe_versions, affected_versions = GentooImporter.get_safe_and_affected_versions(pkg)
 
             for version in safe_versions:
-                constraints.append(
-                    VersionConstraint(version=GentooVersion(version), comparator="=").invert()
-                )
+                try:
+                    constraints.append(
+                        VersionConstraint(version=GentooVersion(version), comparator="=").invert()
+                    )
+                except InvalidVersion as e:
+                    logger.error(f"Invalid safe_version {version} - error: {e}")
 
             for version in affected_versions:
-                constraints.append(
-                    VersionConstraint(version=GentooVersion(version), comparator="=")
-                )
+                try:
+                    constraints.append(
+                        VersionConstraint(version=GentooVersion(version), comparator="=")
+                    )
+                except InvalidVersion as e:
+                    logger.error(f"Invalid affected_version {version} - error: {e}")
 
             if not constraints:
                 continue

vulnerabilities/improvers/__init__.py

@@ -31,6 +31,7 @@
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
+from vulnerabilities.pipelines.v2_improvers import relate_severities
 from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
 from vulnerabilities.utils import create_registry
 
@@ -72,5 +73,6 @@
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
         collect_ssvc_trees.CollectSSVCPipeline,
+        relate_severities.RelateSeveritiesPipeline,
     ]
 )

vulnerabilities/migrations/0114_advisoryv2_related_advisory_severities.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.2.11 on 2026-02-17 13:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0113_advisoryv2_precedence"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="related_advisory_severities",
+            field=models.ManyToManyField(
+                help_text="Related advisories that are used to calculate the severity of this advisory.",
+                related_name="related_to_advisory_severities",
+                to="vulnerabilities.advisoryv2",
+            ),
+        ),
+    ]

vulnerabilities/migrations/0115_impactedpackageaffecting_and_more.py

@@ -0,0 +1,107 @@
+# Generated by Django 5.2.11 on 2026-02-19 11:12
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0114_advisoryv2_related_advisory_severities"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="affecting_packages",
+        ),
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="fixed_by_packages",
+        ),
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="date_collected",
+            field=models.DateTimeField(
+                auto_now_add=True,
+                db_index=True,
+                help_text="UTC Date on which the advisory was collected",
+            ),
+        ),
+        migrations.CreateModel(
+            name="ImpactedPackageAffecting",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True, db_index=True)),
+                (
+                    "impacted_package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="vulnerabilities.impactedpackage",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.packagev2"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("impacted_package", "package")},
+            },
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="affecting_packages",
+            field=models.ManyToManyField(
+                help_text="Packages vulnerable to this impact.",
+                related_name="affected_in_impacts",
+                through="vulnerabilities.ImpactedPackageAffecting",
+                to="vulnerabilities.packagev2",
+            ),
+        ),
+        migrations.CreateModel(
+            name="ImpactedPackageFixedBy",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True, db_index=True)),
+                (
+                    "impacted_package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="vulnerabilities.impactedpackage",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.packagev2"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("impacted_package", "package")},
+            },
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="fixed_by_packages",
+            field=models.ManyToManyField(
+                help_text="Packages fixing the vulnerable packages in this impact.",
+                related_name="fixed_in_impacts",
+                through="vulnerabilities.ImpactedPackageFixedBy",
+                to="vulnerabilities.packagev2",
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -2344,13 +2344,14 @@ def save(self, *args, **kwargs):
     @property
     def pipeline_class(self):
         """Return the pipeline class."""
+
         from vulnerabilities.importers import IMPORTERS_REGISTRY
         from vulnerabilities.improvers import IMPROVERS_REGISTRY
+        from vulnerabilities.pipelines.exporters import EXPORTERS_REGISTRY
+
+        pipeline_registry = IMPORTERS_REGISTRY | IMPROVERS_REGISTRY | EXPORTERS_REGISTRY
 
-        if self.pipeline_id in IMPROVERS_REGISTRY:
-            return IMPROVERS_REGISTRY.get(self.pipeline_id)
-        if self.pipeline_id in IMPORTERS_REGISTRY:
-            return IMPORTERS_REGISTRY.get(self.pipeline_id)
+        return pipeline_registry[self.pipeline_id]
 
     @property
     def description(self):
@@ -2960,9 +2961,15 @@ class AdvisoryV2(models.Model):
     )
 
     date_published = models.DateTimeField(
-        blank=True, null=True, help_text="UTC Date of publication of the advisory"
+        blank=True,
+        null=True,
+        help_text="UTC Date of publication of the advisory",
+    )
+    date_collected = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+        help_text="UTC Date on which the advisory was collected",
     )
-    date_collected = models.DateTimeField(help_text="UTC Date on which the advisory was collected")
 
     original_advisory_text = models.TextField(
         blank=True,
@@ -2997,6 +3004,12 @@ class AdvisoryV2(models.Model):
         help_text="Precedence indicates the priority of advisory from different datasources. It is determined based on the reliability of the datasource and how close it is to the source.",
     )
 
+    related_advisory_severities = models.ManyToManyField(
+        "AdvisoryV2",
+        related_name="related_to_advisory_severities",
+        help_text="Related advisories that are used to calculate the severity of this advisory.",
+    )
+
     @property
     def risk_score(self):
         """
@@ -3130,13 +3143,15 @@ class ImpactedPackage(models.Model):
     affecting_packages = models.ManyToManyField(
         "PackageV2",
         related_name="affected_in_impacts",
+        through="ImpactedPackageAffecting",
         help_text="Packages vulnerable to this impact.",
     )
 
     fixed_by_packages = models.ManyToManyField(
         "PackageV2",
         related_name="fixed_in_impacts",
-        help_text="Packages vulnerable to this impact.",
+        through="ImpactedPackageFixedBy",
+        help_text="Packages fixing the vulnerable packages in this impact.",
     )
 
     introduced_by_package_commit_patches = models.ManyToManyField(
@@ -3484,6 +3499,44 @@ def current_version(self):
         return self.version_class(self.version)
 
 
+class ImpactedPackageAffecting(models.Model):
+    impacted_package = models.ForeignKey(
+        ImpactedPackage,
+        on_delete=models.CASCADE,
+    )
+    package = models.ForeignKey(
+        PackageV2,
+        on_delete=models.CASCADE,
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+    )
+
+    class Meta:
+        unique_together = ("impacted_package", "package")
+
+
+class ImpactedPackageFixedBy(models.Model):
+    impacted_package = models.ForeignKey(
+        ImpactedPackage,
+        on_delete=models.CASCADE,
+    )
+    package = models.ForeignKey(
+        PackageV2,
+        on_delete=models.CASCADE,
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+    )
+
+    class Meta:
+        unique_together = ("impacted_package", "package")
+
+
 class AdvisoryExploit(models.Model):
     """
     A vulnerability exploit is code used to