Aggregate SSVCs using qs

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/api_v3.py

@@ -10,11 +10,14 @@
 from collections import defaultdict
 from urllib.parse import urlencode
 
+from django.contrib.postgres.aggregates import JSONBAgg
 from django.db.models import Exists
+from django.db.models import F
 from django.db.models import Max
 from django.db.models import OuterRef
 from django.db.models import Prefetch
 from django.db.models import Q
+from django.db.models.functions import JSONObject
 from django_filters import rest_framework as filters
 from drf_spectacular.utils import extend_schema
 from packageurl import PackageURL
@@ -644,24 +647,6 @@ def get_affected_advisories_bulk(packages):
         .select_related("primary_advisory")
         .prefetch_related(
             Prefetch("aliases", queryset=AdvisoryAlias.objects.only("alias")),
-            Prefetch(
-                "members",
-                queryset=AdvisorySetMember.objects.select_related("advisory").prefetch_related(
-                    Prefetch(
-                        "advisory__related_ssvcs",
-                        queryset=SSVC.objects.select_related("source_advisory")
-                        .only(
-                            "id",
-                            "options",
-                            "decision",
-                            "vector",
-                            "source_advisory__url",
-                        )
-                        .distinct("source_advisory__url"),
-                        to_attr="prefetched_ssvc_trees",
-                    )
-                ),
-            ),
         )
         .annotate(
             max_severity=Max(
@@ -670,6 +655,16 @@ def get_affected_advisories_bulk(packages):
             max_exploitability=Max(
                 "members__advisory__exploitability",
             ),
+            ssvc_trees=JSONBAgg(
+                JSONObject(
+                    vector=F("members__advisory__related_ssvcs__vector"),
+                    decision=F("members__advisory__related_ssvcs__decision"),
+                    options=F("members__advisory__related_ssvcs__options"),
+                    source_url=F("members__advisory__related_ssvcs__source_advisory__url"),
+                ),
+                filter=Q(members__advisory__related_ssvcs__decision__isnull=False),
+                distinct=True,
+            ),
         )
         .only(
             "id",
@@ -706,22 +701,6 @@ def get_affected_advisories_bulk(packages):
             identifier = primary.advisory_id.split("/")[-1]
 
             aliases = [a for a in adv._aliases_cache if a != identifier]
-            all_ssvc = []
-
-            for member in adv.members.all():
-                all_ssvc.extend(member.advisory.prefetched_ssvc_trees)
-
-            ssvcs = []
-
-            for ssvc in all_ssvc:
-                ssvcs.append(
-                    {
-                        "vector": ssvc.vector,
-                        "decision": ssvc.decision,
-                        "options": ssvc.options,
-                        "source_url": ssvc.source_advisory.url,
-                    }
-                )
 
             grouped.append(
                 {
@@ -733,7 +712,7 @@ def get_affected_advisories_bulk(packages):
                     "risk_score": risk_score,
                     "summary": primary.summary,
                     "resource_url": primary.get_absolute_url(),
-                    "ssvc_trees": ssvcs,
+                    "ssvc_trees": adv.ssvc_trees or [],
                 }
             )
 

vulnerabilities/models.py

@@ -3284,9 +3284,7 @@ class Meta:
                 fields=["_all_impacts_unfurled", "id"],
                 name="advisory_unfurled_idx",
             ),
-            models.Index(
-                fields=["is_latest", "_all_impacts_unfurled"]
-            )
+            models.Index(fields=["is_latest", "_all_impacts_unfurled"]),
         ]
 
     def save(self, *args, **kwargs):