Merge branch 'main' into osv-cvss4

Author: TG1999

docker-compose.yml

@@ -13,9 +13,6 @@ services:
 
   vulnerablecode_redis:
     image: redis
-    # Enable redis data persistence using the "Append Only File" with the
-    # default policy of fsync every second. See https://redis.io/topics/persistence
-    command: redis-server --appendonly yes
     volumes:
       - vulnerablecode_redis_data:/data
     restart: always

requirements.txt

@@ -27,7 +27,7 @@ dateparser==1.1.1
 decorator==5.1.1
 defusedxml==0.7.1
 distro==1.7.0
-Django==4.2.22
+Django==4.2.25
 django-altcha==0.2.0
 django-crispy-forms==2.3
 django-environ==0.11.2

vulnerabilities/improvers/__init__.py

@@ -30,6 +30,7 @@
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
+from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
 from vulnerabilities.utils import create_registry
 
 IMPROVERS_REGISTRY = create_registry(
@@ -67,6 +68,7 @@
         compute_package_risk_v2.ComputePackageRiskPipeline,
         compute_version_rank_v2.ComputeVersionRankPipeline,
         compute_advisory_todo_v2.ComputeToDo,
+        unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
     ]
 )

vulnerabilities/migrations/0102_alter_impactedpackage_affecting_vers_and_more.py

@@ -0,0 +1,38 @@
+# Generated by Django 4.2.22 on 2025-09-03 09:45
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0101_advisorytodov2_todorelatedadvisoryv2_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="impactedpackage",
+            name="affecting_vers",
+            field=models.TextField(
+                blank=True,
+                help_text="VersionRange expression for package vulnerable to this impact.",
+                null=True,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="impactedpackage",
+            name="base_purl",
+            field=models.CharField(
+                help_text="Version less PURL related to impacted range.", max_length=500
+            ),
+        ),
+        migrations.AlterField(
+            model_name="impactedpackage",
+            name="fixed_vers",
+            field=models.TextField(
+                blank=True,
+                help_text="VersionRange expression for packages fixing the vulnerable package in this impact.",
+                null=True,
+            ),
+        ),
+    ]

vulnerabilities/migrations/0103_codecommit_impactedpackage_affecting_commits_and_more.py

@@ -0,0 +1,84 @@
+# Generated by Django 4.2.22 on 2025-10-31 14:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0102_alter_impactedpackage_affecting_vers_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="CodeCommit",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "commit_hash",
+                    models.CharField(
+                        help_text="Unique commit identifier (e.g., SHA).", max_length=64
+                    ),
+                ),
+                (
+                    "vcs_url",
+                    models.URLField(
+                        help_text="URL of the repository containing the commit.", max_length=1024
+                    ),
+                ),
+                (
+                    "commit_rank",
+                    models.IntegerField(
+                        default=0,
+                        help_text="Rank of the commit to support ordering by commit. Rank zero means the rank has not been defined yet",
+                    ),
+                ),
+                (
+                    "commit_author",
+                    models.CharField(
+                        blank=True, help_text="Author of the commit.", max_length=100, null=True
+                    ),
+                ),
+                (
+                    "commit_date",
+                    models.DateTimeField(
+                        blank=True,
+                        help_text="Timestamp indicating when this commit was created.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "commit_message",
+                    models.TextField(
+                        blank=True, help_text="Commit message or description.", null=True
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("commit_hash", "vcs_url")},
+            },
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="affecting_commits",
+            field=models.ManyToManyField(
+                help_text="Commits introducing this impact.",
+                related_name="affecting_commits_in_impacts",
+                to="vulnerabilities.codecommit",
+            ),
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="fixed_by_commits",
+            field=models.ManyToManyField(
+                help_text="Commits fixing this impact.",
+                related_name="fixing_commits_in_impacts",
+                to="vulnerabilities.codecommit",
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -16,6 +16,8 @@
 from functools import cached_property
 from itertools import groupby
 from operator import attrgetter
+from traceback import format_exc as traceback_format_exc
+from typing import List
 from typing import Union
 from urllib.parse import urljoin
 
@@ -2927,17 +2929,19 @@ class ImpactedPackage(models.Model):
 
     base_purl = models.CharField(
         max_length=500,
-        blank=True,
+        blank=False,
         help_text="Version less PURL related to impacted range.",
     )
 
     affecting_vers = models.TextField(
         blank=True,
+        null=True,
         help_text="VersionRange expression for package vulnerable to this impact.",
     )
 
     fixed_vers = models.TextField(
         blank=True,
+        null=True,
         help_text="VersionRange expression for packages fixing the vulnerable package in this impact.",
     )
 
@@ -2953,6 +2957,18 @@ class ImpactedPackage(models.Model):
         help_text="Packages vulnerable to this impact.",
     )
 
+    affecting_commits = models.ManyToManyField(
+        "CodeCommit",
+        related_name="affecting_commits_in_impacts",
+        help_text="Commits introducing this impact.",
+    )
+
+    fixed_by_commits = models.ManyToManyField(
+        "CodeCommit",
+        related_name="fixing_commits_in_impacts",
+        help_text="Commits fixing this impact.",
+    )
+
     created_at = models.DateTimeField(
         auto_now_add=True,
         db_index=True,
@@ -3065,6 +3081,41 @@ def get_or_create_from_purl(self, purl: Union[PackageURL, str]):
 
         return package, is_created
 
+    def bulk_get_or_create_from_purls(self, purls: List[Union[PackageURL, str]]):
+        """
+        Return new or existing Packages given ``purls`` list of PackageURL object or PURL string.
+        """
+        purl_strings = [str(p) for p in purls]
+        existing_packages = PackageV2.objects.filter(package_url__in=purl_strings)
+        existing_purls = set(existing_packages.values_list("package_url", flat=True))
+
+        all_packages = list(existing_packages)
+        packages_to_create = []
+        for purl in purls:
+            if str(purl) in existing_purls:
+                continue
+
+            purl_dict = purl_to_dict(purl)
+            purl = PackageURL(**purl_dict)
+
+            normalized = normalize_purl(purl=purl)
+            for name, value in purl_to_dict(normalized).items():
+                setattr(self, name, value)
+
+            purl_dict["package_url"] = str(normalized)
+            purl_dict["plain_package_url"] = str(utils.plain_purl(normalized))
+
+            packages_to_create.append(PackageV2(**purl_dict))
+
+        try:
+            new_packages = PackageV2.objects.bulk_create(packages_to_create)
+        except Exception as e:
+            logging.error(f"Error creating PackageV2: {e} \n {traceback_format_exc()}")
+            return []
+
+        all_packages.extend(new_packages)
+        return all_packages
+
     def only_vulnerable(self):
         return self._vulnerable(True)
 
@@ -3334,3 +3385,32 @@ class AdvisoryExploit(models.Model):
     @property
     def get_known_ransomware_campaign_use_type(self):
         return "Known" if self.known_ransomware_campaign_use else "Unknown"
+
+
+class CodeCommit(models.Model):
+    """
+    A CodeCommit Represents a single VCS commit (e.g., Git) related to a ImpactedPackage.
+    """
+
+    commit_hash = models.CharField(max_length=64, help_text="Unique commit identifier (e.g., SHA).")
+    vcs_url = models.URLField(
+        max_length=1024, help_text="URL of the repository containing the commit."
+    )
+
+    commit_rank = models.IntegerField(
+        default=0,
+        help_text="Rank of the commit to support ordering by commit. Rank "
+        "zero means the rank has not been defined yet",
+    )
+    commit_author = models.CharField(
+        max_length=100, null=True, blank=True, help_text="Author of the commit."
+    )
+    commit_date = models.DateTimeField(
+        null=True, blank=True, help_text="Timestamp indicating when this commit was created."
+    )
+    commit_message = models.TextField(
+        null=True, blank=True, help_text="Commit message or description."
+    )
+
+    class Meta:
+        unique_together = ("commit_hash", "vcs_url")