Merge branch 'main' into improve-ssvc-yaml-display

Author: Mahaboobunnisa123

aboutcode/federated/__init__.py

@@ -1028,7 +1028,7 @@ def large_size_configs(cls):
             "mlflow": 16,
             "pub": 16,
             "rpm": 16,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1069,7 +1069,7 @@ def medium_size_configs(cls):
             "mlflow": 8,
             "pub": 8,
             "rpm": 8,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1110,7 +1110,7 @@ def small_size_configs(cls):
             "mlflow": 4,
             "pub": 4,
             "rpm": 4,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1181,7 +1181,7 @@ def cluster_preset():
         DataCluster(
             data_kind="security_advisories",
             description="VulnerableCode security advisories for each package version.",
-            datafile_path_template="{/namespace}/{name}/{version}/advisories.json",
+            datafile_path_template="{/namespace}/{name}/{version}/advisories.yml",
             purl_type_configs=[PurlTypeConfig.default_config()],
             data_schema_url="",
             documentation_url="",

aboutcode/federated/tests/test_data/all-presets/foo/aboutcode-federated-config.yml

@@ -933,7 +933,7 @@ data_clusters:
     data_license: CC-BY-4.0
     data_maintainers: []
   - data_kind: security_advisories
-    datafile_path_template: '{/namespace}/{name}/{version}/advisories.json'
+    datafile_path_template: '{/namespace}/{name}/{version}/advisories.yml'
     purl_type_configs:
       - purl_type: default
         number_of_repos: 1

docs/source/conf.py

@@ -40,6 +40,7 @@
     "https://nvd.nist.gov/products/cpe",
     "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
     "http://ftp.suse.com/pub/projects/security/yaml/",
+    r"https://nixos\.wiki/",  # NixOS wiki blocks CI bots with 403
 ]
 
 # Add any Sphinx extension module names here, as strings. They can be

vulnerabilities/api_v2.py

@@ -41,6 +41,7 @@
 from vulnerabilities.models import VulnerabilitySeverity
 from vulnerabilities.models import Weakness
 from vulnerabilities.throttling import PermissionBasedUserRateThrottle
+from vulnerabilities.utils import group_advisories_by_content
 
 
 class CharInFilter(filters.BaseInFilter, filters.CharFilter):
@@ -361,19 +362,39 @@ def get_affected_by_vulnerabilities(self, package):
 
         latest_advisories = AdvisoryV2.objects.latest_for_avids(avids)
         advisory_by_avid = {adv.avid: adv for adv in latest_advisories}
+        impact_by_avid = {}
 
-        result = {}
-
+        advisories = []
         for impact in impacts:
             avid = impact.advisory.avid
             advisory = advisory_by_avid.get(avid)
             if not advisory:
                 continue
-            fixed_by_packages = [pkg.purl for pkg in impact.fixed_by_packages.all()]
-            result[advisory.avid] = {
-                "advisory_id": advisory.avid,
-                "fixed_by_packages": fixed_by_packages,
-            }
+            advisories.append(advisory)
+            impact_by_avid[avid] = impact
+
+        grouped_advisories = group_advisories_by_content(advisories=advisories)
+
+        advs = []
+
+        for hash in grouped_advisories:
+            advs.append(grouped_advisories[hash])
+
+        result = []
+
+        for advisory in advs:
+            primary_advisory = advisory["primary"]
+            avid = primary_advisory.avid
+            impact = impact_by_avid.get(avid)
+            if not impact:
+                continue
+            result.append(
+                {
+                    "advisory_id": primary_advisory.avid,
+                    "fixed_by_packages": [pkg.purl for pkg in impact.fixed_by_packages.all()],
+                    "duplicate_advisory_ids": [adv.avid for adv in advisory["secondary"]],
+                }
+            )
 
         return result
 
@@ -384,7 +405,25 @@ def get_fixing_vulnerabilities(self, package):
 
         latest_advisories = AdvisoryV2.objects.latest_for_avids(avids)
 
-        return [adv.avid for adv in latest_advisories]
+        grouped_advisories = group_advisories_by_content(advisories=latest_advisories)
+
+        advs = []
+
+        for hash in grouped_advisories:
+            advs.append(grouped_advisories[hash])
+
+        result = []
+
+        for advisory in advs:
+            primary_advisory = advisory["primary"]
+            result.append(
+                {
+                    "advisory_id": primary_advisory.avid,
+                    "duplicate_advisory_ids": [adv.avid for adv in advisory["secondary"]],
+                }
+            )
+
+        return result
 
     def get_next_non_vulnerable_version(self, package):
         if next_non_vulnerable := package.get_non_vulnerable_versions()[0]:
@@ -1078,14 +1117,14 @@ def list(self, request, *args, **kwargs):
             return self.get_paginated_response(
                 {
                     "packages": serializer.data,
-                    "advisories": advisory_data,
+                    "advisories_by_id": advisory_data,
                 }
             )
 
         return Response(
             {
                 "packages": serializer.data,
-                "advisories": advisory_data,
+                "advisories_by_id": advisory_data,
             }
         )
 
@@ -1160,7 +1199,7 @@ def bulk_lookup(self, request):
         return Response(
             {
                 "packages": package_data,
-                "advisories": advisory_data,
+                "advisories_by_id": advisory_data,
             }
         )
 
@@ -1254,7 +1293,7 @@ def bulk_search(self, request):
                 return Response(
                     {
                         "packages": package_data,
-                        "advisories": advisory_data,
+                        "advisories_by_id": advisory_data,
                     }
                 )
 
@@ -1308,7 +1347,7 @@ def bulk_search(self, request):
             return Response(
                 {
                     "packages": package_data,
-                    "advisories": advisory_data,
+                    "advisories_by_id": advisory_data,
                 }
             )
 

vulnerabilities/importers/__init__.py

@@ -55,6 +55,7 @@
 )
 from vulnerabilities.pipelines.v2_importers import epss_importer_v2
 from vulnerabilities.pipelines.v2_importers import fireeye_importer_v2
+from vulnerabilities.pipelines.v2_importers import gentoo_importer as gentoo_importer_v2
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
@@ -108,6 +109,7 @@
         project_kb_msr2019_importer_v2.ProjectKBMSR2019Pipeline,
         ruby_importer_v2.RubyImporterPipeline,
         epss_importer_v2.EPSSImporterPipeline,
+        gentoo_importer_v2.GentooImporterPipeline,
         nginx_importer_v2.NginxImporterPipeline,
         debian_importer_v2.DebianImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,

vulnerabilities/importers/fireeye.py

@@ -112,7 +112,7 @@ def matcher_url(ref) -> str:
     """
     Returns URL of the reference markup from reference url in Markdown format
     """
-    markup_regex = "\[([^\[]+)]\(\s*(http[s]?://.+)\s*\)"
+    markup_regex = r"\[([^\[]+)]\(\s*(http[s]?://.+)\s*\)"
     matched_markup = re.findall(markup_regex, ref)
     if matched_markup:
         return matched_markup[0][1]

vulnerabilities/importers/gentoo.py

@@ -6,8 +6,7 @@
 # See https://github.com/aboutcode-org/vulnerablecode for support or download.
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
-
-
+import logging
 import re
 import xml.etree.ElementTree as ET
 from pathlib import Path
@@ -17,12 +16,15 @@
 from univers.version_constraint import VersionConstraint
 from univers.version_range import EbuildVersionRange
 from univers.versions import GentooVersion
+from univers.versions import InvalidVersion
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
 
+logger = logging.getLogger(__name__)
+
 
 class GentooImporter(Importer):
     repo_url = "git+https://anongit.gentoo.org/git/data/glsa.git"
@@ -104,14 +106,20 @@ def affected_and_safe_purls(affected_elem):
             safe_versions, affected_versions = GentooImporter.get_safe_and_affected_versions(pkg)
 
             for version in safe_versions:
-                constraints.append(
-                    VersionConstraint(version=GentooVersion(version), comparator="=").invert()
-                )
+                try:
+                    constraints.append(
+                        VersionConstraint(version=GentooVersion(version), comparator="=").invert()
+                    )
+                except InvalidVersion as e:
+                    logger.error(f"Invalid safe_version {version} - error: {e}")
 
             for version in affected_versions:
-                constraints.append(
-                    VersionConstraint(version=GentooVersion(version), comparator="=")
-                )
+                try:
+                    constraints.append(
+                        VersionConstraint(version=GentooVersion(version), comparator="=")
+                    )
+                except InvalidVersion as e:
+                    logger.error(f"Invalid affected_version {version} - error: {e}")
 
             if not constraints:
                 continue

vulnerabilities/improvers/__init__.py

@@ -31,6 +31,7 @@
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
+from vulnerabilities.pipelines.v2_improvers import relate_severities
 from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
 from vulnerabilities.utils import create_registry
 
@@ -72,5 +73,6 @@
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
         collect_ssvc_trees.CollectSSVCPipeline,
+        relate_severities.RelateSeveritiesPipeline,
     ]
 )

vulnerabilities/migrations/0113_advisoryv2_precedence.py

@@ -0,0 +1,22 @@
+# Generated by Django 4.2.25 on 2026-02-10 12:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0112_alter_advisoryseverity_scoring_system_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="precedence",
+            field=models.IntegerField(
+                blank=True,
+                help_text="Precedence indicates the priority of advisory from different datasources. It is determined based on the reliability of the datasource and how close it is to the source.",
+                null=True,
+            ),
+        ),
+    ]

vulnerabilities/migrations/0114_advisoryv2_related_advisory_severities.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.2.11 on 2026-02-17 13:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0113_advisoryv2_precedence"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="related_advisory_severities",
+            field=models.ManyToManyField(
+                help_text="Related advisories that are used to calculate the severity of this advisory.",
+                related_name="related_to_advisory_severities",
+                to="vulnerabilities.advisoryv2",
+            ),
+        ),
+    ]