Fix severity and exploit calculation

TG1999 · TG1999 · commit 50ff81c9e6ee · 2026-03-31T00:53:30.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/api_v3.py b/vulnerabilities/api_v3.py
@@ -21,6 +21,7 @@
 
 from vulnerabilities.models import AdvisoryReference
 from vulnerabilities.models import AdvisorySet
+from vulnerabilities.models import AdvisorySetMember
 from vulnerabilities.models import AdvisorySeverity
 from vulnerabilities.models import AdvisoryV2
 from vulnerabilities.models import AdvisoryWeakness
@@ -257,12 +258,26 @@ def get_affected_by_vulnerabilities(self, package):
         is_grouped = AdvisorySet.objects.filter(package=package, relation_type="affecting").exists()
 
         if is_grouped:
-            affected_by_advisories_qs = AdvisorySet.objects.filter(
-                package=package, relation_type="affecting"
-            ).select_related("primary_advisory")
+            affected_by_advisories_qs = (
+                AdvisorySet.objects.filter(package=package, relation_type="affecting")
+                .select_related("primary_advisory")
+                .prefetch_related(
+                    Prefetch(
+                        "members",
+                        queryset=AdvisorySetMember.objects.filter(is_primary=False).select_related(
+                            "advisory"
+                        ),
+                        to_attr="secondary_members",
+                    )
+                )
+            )
 
             affected_groups = [
-                (list(adv.aliases.all()), adv.primary_advisory, "")
+                (
+                    list(adv.aliases.all()),
+                    adv.primary_advisory,
+                    [member.advisory for member in adv.secondary_members],
+                )
                 for adv in affected_by_advisories_qs
             ]
 
@@ -303,12 +318,27 @@ def get_fixing_vulnerabilities(self, package):
         is_grouped = AdvisorySet.objects.filter(package=package, relation_type="fixing").exists()
 
         if is_grouped:
-            fixing_advisories_qs = AdvisorySet.objects.filter(
-                package=package, relation_type="fixing"
-            ).select_related("primary_advisory")
+            fixing_advisories_qs = (
+                AdvisorySet.objects.filter(package=package, relation_type="fixing")
+                .select_related("primary_advisory")
+                .prefetch_related(
+                    Prefetch(
+                        "members",
+                        queryset=AdvisorySetMember.objects.filter(is_primary=False).select_related(
+                            "advisory"
+                        ),
+                        to_attr="secondary_members",
+                    )
+                )
+            )
 
             fixing_groups = [
-                (list(adv.aliases.all()), adv.primary_advisory, "") for adv in fixing_advisories_qs
+                (
+                    list(adv.aliases.all()),
+                    adv.primary_advisory,
+                    [member.advisory for member in adv.secondary_members],
+                )
+                for adv in fixing_advisories_qs
             ]
 
             advisories = get_advisories_from_groups(fixing_groups)
@@ -360,7 +390,9 @@ def return_advisories_data(self, package, advisories_qs, advisories):
                     "exploitability": advisory["exploitability"],
                     "risk_score": advisory["risk_score"],
                     "summary": advisory["advisory"].summary,
-                    "fixed_by_packages": list(set([pkg.purl for pkg in impact.fixed_by_packages.all()])),
+                    "fixed_by_packages": list(
+                        set([pkg.purl for pkg in impact.fixed_by_packages.all()])
+                    ),
                 }
             )
 
diff --git a/vulnerabilities/views.py b/vulnerabilities/views.py
@@ -42,7 +42,6 @@
 from vulnerabilities.models import PipelineRun
 from vulnerabilities.models import PipelineSchedule
 from vulnerabilities.pipelines.v2_importers.epss_importer_v2 import EPSSImporterPipeline
-from vulnerabilities.pipes.group_advisories import delete_and_save_advisory_set
 from vulnerabilities.severity_systems import EPSS
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
 from vulnerabilities.utils import TYPES_WITH_MULTIPLE_IMPORTERS
@@ -266,20 +265,49 @@ def get_context_data(self, **kwargs):
             fixed_pkg_details = get_fixed_package_details(package)
             context["fixed_package_details"] = fixed_pkg_details
 
-            affected_by_advisories_qs = models.AdvisorySet.objects.filter(
-                package=package, relation_type="affecting"
-            ).select_related("primary_advisory")
+            affected_by_advisories_qs = (
+                models.AdvisorySet.objects.filter(package=package, relation_type="affecting")
+                .select_related("primary_advisory")
+                .prefetch_related(
+                    Prefetch(
+                        "members",
+                        queryset=AdvisorySetMember.objects.filter(is_primary=False).select_related(
+                            "advisory"
+                        ),
+                        to_attr="secondary_members",
+                    )
+                )
+            )
 
-            fixing_advisories_qs = models.AdvisorySet.objects.filter(
-                package=package, relation_type="fixing"
-            ).select_related("primary_advisory")
+            fixing_advisories_qs = (
+                models.AdvisorySet.objects.filter(package=package, relation_type="fixing")
+                .select_related("primary_advisory")
+                .prefetch_related(
+                    Prefetch(
+                        "members",
+                        queryset=AdvisorySetMember.objects.filter(is_primary=False).select_related(
+                            "advisory"
+                        ),
+                        to_attr="secondary_members",
+                    )
+                )
+            )
 
             affected_groups = [
-                (list(adv.aliases.all()), adv.primary_advisory, "")
+                (
+                    list(adv.aliases.all()),
+                    adv.primary_advisory,
+                    [a.advisory for a in adv.secondary_members],
+                )
                 for adv in affected_by_advisories_qs
             ]
             fixing_groups = [
-                (list(adv.aliases.all()), adv.primary_advisory, "") for adv in fixing_advisories_qs
+                (
+                    list(adv.aliases.all()),
+                    adv.primary_advisory,
+                    [a.advisory for a in adv.secondary_members],
+                )
+                for adv in fixing_advisories_qs
             ]
 
             affected_advisories = get_advisories_from_groups(affected_groups)
