Update UI to have a new tab Package Commit Patches Details

Sort PackageCommitPatchViewSet

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/api_v2.py

@@ -966,7 +966,7 @@ def get_queryset(self):
                 | Q(fixed_in_impacts__base_purl__icontains=purl)
             ).distinct()
 
-        return queryset
+        return queryset.order_by("id")
 
 
 class PatchViewSet(viewsets.ReadOnlyModelViewSet):

vulnerabilities/templates/advisory_detail.html

@@ -181,6 +181,18 @@
                                     </a>
                                 </td>
                             </tr>
+                            <tr>
+                                <td class="two-col-left"
+                                    data-tooltip="Risk expressed as a number ranging from 0 to 10. It is calculated by multiplying
+                                    the weighted severity and exploitability values, capped at a maximum of 10.
+                                    "
+                                >Introduced and Fixed Package Commit Patches</td>
+                                <td class="two-col-right wrap-strings">
+                                    <a href="/advisories/commits/{{ advisory.avid }}">
+                                         Package Commit Patches Details
+                                    </a>
+                                </td>
+                            </tr>
                         </tbody>
                     </table>
                     <div class="has-text-weight-bold tab-nested-div ml-1 mb-1 mt-6">

vulnerabilities/templates/advisory_package_commit_details.html

@@ -0,0 +1,82 @@
+{% extends "base.html" %}
+{% load humanize %}
+{% load widget_tweaks %}
+{% load static %}
+{% load show_cvss %}
+{% load url_filters %}
+
+{% block title %}
+VulnerableCode Advisory Package Commit Patch Details - {{ advisoryv2.advisory_id }}
+{% endblock %}
+
+{% block content %}
+
+{% if advisoryv2 %}
+    <section class="section pt-0">
+        <div class="details-container">
+            <article class="panel is-info panel-header-only">
+                <div class="panel-heading py-2 is-size-6">
+                    Introduce and Fixing Package Commit Patch details for Advisory:
+                    <span class="tag is-white custom">
+                        {{ advisoryv2.advisory_id }}
+                    </span>
+                </div>
+            </article>
+
+        <div id="tab-content">
+            <table class="table vcio-table width-100-pct mt-2">
+                <thead>
+                    <tr>
+                        <th style="width: 50%;">Introduced in</th>
+                        <th>Fixed by</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {% for impact in advisoryv2.impacted_packages.all %}
+                        {% for pkg_commit_patch in impact.introduced_by_package_commit_patches.all %}
+                            <tr>
+                                <td>
+                                    <a href="{{ pkg_commit_patch.patch_url }}" target="_self">
+                                        {{ pkg_commit_patch.vcs_url }}@{{ pkg_commit_patch.commit_hash }}
+                                    </a>
+                                    <br />
+                                    <a href="{{ pkg_commit_patch.patch_url }}" target="_self">{{ pkg_commit_patch.patch_url }}</a>
+                                </td>
+                                <td></td>
+                            </tr>
+                        {% endfor %}
+
+                        {% for pkg_commit_patch in impact.fixed_by_package_commit_patches.all %}
+                            <tr>
+                                <td></td>
+                                <td>
+                                    <a href="{{ pkg_commit_patch.commit_url }}" target="_self">
+                                        {{ impact.base_purl }}@{{ pkg_commit_patch.commit_hash }}
+                                    </a>
+                                    <br />
+                                
+                                    {% if pkg_commit_patch.patch_url %}
+                                        <a href="{{ pkg_commit_patch.patch_url }}" target="_self">{{ pkg_commit_patch.patch_url }}</a>
+                                    {% endif %}
+                                </td>
+                            </tr>
+                        {% endfor %}
+
+                    {% empty %}
+                        <tr>
+                            <td colspan="2">
+                                This vulnerability is not known to affect any package commits.
+                            </td>
+                        </tr>
+                    {% endfor %}
+                </tbody>
+            </table>
+        </div>
+
+        </div>
+    </section>
+{% endif %}
+
+<script src="{% static 'js/main.js' %}" crossorigin="anonymous"></script>
+
+{% endblock %}

vulnerabilities/templates/advisory_package_details.html

@@ -60,67 +60,6 @@
                 </div>
         </div>
     </section>
-    <section class="section pt-0">
-        <div class="details-container">
-            <article class="panel is-info panel-header-only">
-                <div class="panel-heading py-2 is-size-6">
-                    Vulnerable and Fixing Package Commit Patch details for Advisory:
-                    <span class="tag is-white custom">
-                        {{ advisoryv2.advisory_id }}
-                    </span>
-                </div>
-            </article>
-        
-        <div id="tab-content">
-            <table class="table vcio-table width-100-pct mt-2">
-                <thead>
-                    <tr>
-                        <th style="width: 50%;">Introduced in</th>
-                        <th>Fixed by</th>
-                    </tr>
-                </thead>
-                <tbody>
-                    {% for impact in advisoryv2.impacted_packages.all %}
-                        
-                        {% for pkg_commit_patch in impact.introduced_by_package_commit_patches.all %}
-                            <tr>
-                                <td>
-                                    <a href="{{ pkg_commit_patch.patch_url }}" target="_self">
-                                        {{ pkg_commit_patch.vcs_url }}@{{ pkg_commit_patch.commit_hash }}
-                                    </a>
-                                    <br />
-                                    <a href="{{ pkg_commit_patch.patch_url }}" target="_self">{{ pkg_commit_patch.patch_url }}</a>
-                                </td>
-                                <td></td>
-                            </tr>
-                        {% endfor %}
-                        
-                        {% for pkg_commit_patch in impact.fixed_by_package_commit_patches.all %}
-                            <tr>
-                                <td></td>
-                                <td>
-                                    <a href="{{ pkg_commit_patch.commit_url }}" target="_self">
-                                        {{ impact.base_purl }}@{{ pkg_commit_patch.commit_hash }}
-                                    </a>
-                                    <br />
-                                    <a href="{{ pkg_commit_patch.patch_url }}" target="_self">{{ pkg_commit_patch.patch_url }}</a>
-                                </td>
-                            </tr>
-                        {% endfor %}
-        
-                    {% empty %}
-                        <tr>
-                            <td colspan="2">
-                                This vulnerability is not known to affect any package commits.
-                            </td>
-                        </tr>
-                    {% endfor %}
-                </tbody>
-            </table>
-        </div>
-        
-        </div>
-    </section>
 {% endif %}
 
 <script src="{% static 'js/main.js' %}" crossorigin="anonymous"></script>

vulnerabilities/utils.py

@@ -43,6 +43,7 @@
 from univers.version_range import VersionRange
 
 from aboutcode.hashid import build_vcid
+from aboutcode.hashid import get_core_purl
 
 logger = logging.getLogger(__name__)
 
@@ -902,49 +903,44 @@ def compute_advisory_content(advisory_data):
     return content_hash
 
 
-def generate_patch_url(vcs_url, commit_hash):
+def generate_commit_url(vcs_url, commit_hash):
     """
-    Generate patch URL from VCS URL and commit hash.
+    Generate commit URL from VCS URL and commit hash.
     """
     if not vcs_url or not commit_hash:
-        return None
+        return
 
-    vcs_url = vcs_url.rstrip("/")
+    purl = url2purl(vcs_url)
+    if not purl:
+        return
 
-    if vcs_url.startswith("https://github.com"):
-        return f"{vcs_url}/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://gitlab.com"):
-        return f"{vcs_url}/-/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://codeberg.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://android.googlesource.com"):
-        return f"{vcs_url}/+/{commit_hash}%5E%21?format=TEXT"
-    elif vcs_url.startswith("https://bitbucket.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}/raw"
-    elif vcs_url.startswith("https://git.kernel.org"):
-        return f"{vcs_url}/patch/?id={commit_hash}"
-    return
+    base_purl = get_core_purl(str(purl))
+    purl_with_version = PackageURL(
+        type=base_purl.type, namespace=base_purl.namespace, name=base_purl.name, version=commit_hash
+    )
+    commit_url = purl2url(str(purl_with_version))
+    return commit_url
 
 
-def generate_commit_url(vcs_url, commit_hash):
+def generate_patch_url(vcs_url, commit_hash):
     """
-    Generate commit URL from VCS URL and commit hash.
+    Generate patch URL from VCS URL and commit hash.
     """
     if not vcs_url or not commit_hash:
         return None
 
     vcs_url = vcs_url.rstrip("/")
 
     if vcs_url.startswith("https://github.com"):
-        return f"{vcs_url}/commit/{commit_hash}"
+        return f"{vcs_url}/commit/{commit_hash}.patch"
     elif vcs_url.startswith("https://gitlab.com"):
-        return f"{vcs_url}/-/commit/{commit_hash}"
+        return f"{vcs_url}/-/commit/{commit_hash}.patch"
+    elif vcs_url.startswith("https://bitbucket.org"):
+        return f"{vcs_url}/-/commit/{commit_hash}/raw"
     elif vcs_url.startswith("https://codeberg.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}"
+        return f"{vcs_url}/-/commit/{commit_hash}.patch"
     elif vcs_url.startswith("https://android.googlesource.com"):
-        return f"{vcs_url}/+/{commit_hash}"
-    elif vcs_url.startswith("https://bitbucket.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}"
+        return f"{vcs_url}/+/{commit_hash}%5E%21?format=TEXT"
     elif vcs_url.startswith("https://git.kernel.org"):
         return f"{vcs_url}/patch/?id={commit_hash}"
     return

vulnerabilities/views.py

@@ -787,6 +787,57 @@ def get_queryset(self):
         )
 
 
+class AdvisoryPackageCommitPatchDetails(DetailView):
+    """
+    View to display all packages introduce by or fixing a specific vulnerability.
+    URL: /advisories/{id}/commits
+    """
+
+    model = models.AdvisoryV2
+    template_name = "advisory_package_commit_details.html"
+    slug_url_kwarg = "avid"
+
+    def get_object(self, queryset=None):
+        avid = self.kwargs.get(self.slug_url_kwarg)
+        if not avid:
+            raise Http404("Missing advisory identifier")
+
+        advisory = models.AdvisoryV2.objects.latest_for_avid(avid)
+
+        if not advisory:
+            raise Http404(f"No advisory found for avid: {avid}")
+
+        return advisory
+
+    def get_queryset(self):
+        """
+        Prefetch and optimize related data to minimize database hits.
+        """
+        return (
+            super()
+            .get_queryset()
+            .prefetch_related(
+                Prefetch(
+                    "impacted_packages",
+                    queryset=models.ImpactedPackage.objects.order_by("base_purl").prefetch_related(
+                        Prefetch(
+                            "introduced_by_package_commit_patches",
+                            queryset=models.PackageCommitPatch.objects.only(
+                                "commit_hash", "vcs_url", "patch_url", "commit_url"
+                            ),
+                        ),
+                        Prefetch(
+                            "fixed_by_package_commit_patches",
+                            queryset=models.PackageCommitPatch.objects.only(
+                                "commit_hash", "vcs_url", "patch_url", "commit_url"
+                            ),
+                        ),
+                    ),
+                )
+            )
+        )
+
+
 class PipelineScheduleListView(ListView, FormMixin):
     model = PipelineSchedule
     context_object_name = "schedule_list"

vulnerablecode/urls.py

@@ -30,6 +30,7 @@
 from vulnerabilities.api_v2 import VulnerabilityV2ViewSet
 from vulnerabilities.views import AdminLoginView
 from vulnerabilities.views import AdvisoryDetails
+from vulnerabilities.views import AdvisoryPackageCommitPatchDetails
 from vulnerabilities.views import AdvisoryPackagesDetails
 from vulnerabilities.views import ApiUserCreateView
 from vulnerabilities.views import HomePage
@@ -116,6 +117,11 @@ def __init__(self, *args, **kwargs):
         AdvisoryPackagesDetails.as_view(),
         name="advisory_package_details",
     ),
+    path(
+        "advisories/commits/<path:avid>",
+        AdvisoryPackageCommitPatchDetails.as_view(),
+        name="advisory_package_commit_details",
+    ),
     path(
         "advisories/<path:avid>",
         AdvisoryDetails.as_view(),