Add risk, severity and exploits

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/api_v3.py

@@ -356,6 +356,9 @@ def return_advisories_data(self, package, advisories_qs, advisories):
                 {
                     "advisory_id": advisory["identifier"],
                     "aliases": [alias.alias for alias in advisory["aliases"]],
+                    "weighted_severity": advisory["weighted_severity"],
+                    "exploitability": advisory["exploitability"],
+                    "risk_score": advisory["risk_score"],
                     "summary": advisory["advisory"].summary,
                     "fixed_by_packages": [pkg.purl for pkg in impact.fixed_by_packages.all()],
                 }

vulnerabilities/templates/package_details_v2.html

@@ -142,6 +142,7 @@
                                     <th style="width: 200px;">Advisory</th>
                                     <th>Summary</th>
                                     <th style="width: 310px;">Fixed in package version</th>
+                                    <th>Risk score</th>
                                 </tr>
                             </thead>
 
@@ -197,6 +198,13 @@
                                             {% endif %}
                                         {% endwith %}
                                     </td>
+                                    <td>
+                                        {% if advisory.risk_score is not None %}
+                                            {{ advisory.risk_score }}
+                                        {% else %}
+                                            {{ "" }}
+                                        {% endif %}
+                                    </td>
                                 </tr>
                                 {% empty %}
                                 <tr>
@@ -258,6 +266,13 @@
                                             {% endif %}
                                         {% endwith %}
                                     </td>
+                                    <td>
+                                        {% if advisory.risk_score is not None %}
+                                            {{ advisory.risk_score }}
+                                        {% else %}
+                                            {{ "" }}
+                                        {% endif %}
+                                    </td>
                                 </tr>
                                 {% empty %}
                                 <tr>

vulnerabilities/utils.py

@@ -960,13 +960,34 @@ def get_advisories_from_groups(groups):
     Return a list of advisories from the merged groups of advisories.
     """
     advisories = []
-    for aliases, primary, _ in groups:
+    weighted_severity = None
+    exploitability = None
+    risk_score = None
+    for aliases, primary, secondaries in groups:
+        severity_scores = []
+        exploitability_scores = []
         identifier = primary.advisory_id.split("/")[-1]
-
         filtered_aliases = [alias for alias in aliases if alias.alias != identifier]
-
+        severity_scores.extend([adv.weighted_severity for adv in secondaries])
+        exploitability_scores.extend([adv.exploitability for adv in secondaries])
+        severity_scores.append(primary.weighted_severity)
+        exploitability_scores.append(primary.exploitability)
+        if severity_scores:
+            weighted_severity = round(max(severity_scores), 1)
+        if exploitability_scores:
+            exploitability = max(exploitability_scores)
+        if exploitability and weighted_severity:
+            risk_score = min(float(exploitability * weighted_severity), 10.0)
+            risk_score = round(risk_score, 1)
         advisories.append(
-            {"aliases": filtered_aliases, "advisory": primary, "identifier": identifier}
+            {
+                "aliases": filtered_aliases,
+                "advisory": primary,
+                "identifier": identifier,
+                "weighted_severity": weighted_severity,
+                "exploitability": exploitability,
+                "risk_score": risk_score,
+            }
         )
 
     return advisories

vulnerabilities/views.py

@@ -218,7 +218,7 @@ def get_context_data(self, **kwargs):
 
         if not package.type in TYPES_WITH_MULTIPLE_IMPORTERS:
             affecting_advisories = AdvisoryV2.objects.latest_affecting_advisories_for_purl(
-            purl=package.purl
+                purl=package.purl
             )
 
             fixed_by_advisories = AdvisoryV2.objects.latest_fixed_by_advisories_for_purl(
@@ -292,7 +292,7 @@ def get_context_data(self, **kwargs):
 
         if package.type in TYPES_WITH_MULTIPLE_IMPORTERS:
             affecting_advisories = AdvisoryV2.objects.latest_affecting_advisories_for_purl(
-            purl=package.purl
+                purl=package.purl
             )
 
             fixed_by_advisories = AdvisoryV2.objects.latest_fixed_by_advisories_for_purl(