Merge branch 'aboutcode-org:main' into gentoo-migration

Author: ziadhany

aboutcode/federated/__init__.py

@@ -1028,7 +1028,7 @@ def large_size_configs(cls):
             "mlflow": 16,
             "pub": 16,
             "rpm": 16,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1069,7 +1069,7 @@ def medium_size_configs(cls):
             "mlflow": 8,
             "pub": 8,
             "rpm": 8,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1110,7 +1110,7 @@ def small_size_configs(cls):
             "mlflow": 4,
             "pub": 4,
             "rpm": 4,
-            # Small Ecosystem all use the defaul
+            # Small Ecosystem all use the default
             "default": 1,
         }
         return [
@@ -1181,7 +1181,7 @@ def cluster_preset():
         DataCluster(
             data_kind="security_advisories",
             description="VulnerableCode security advisories for each package version.",
-            datafile_path_template="{/namespace}/{name}/{version}/advisories.json",
+            datafile_path_template="{/namespace}/{name}/{version}/advisories.yml",
             purl_type_configs=[PurlTypeConfig.default_config()],
             data_schema_url="",
             documentation_url="",

aboutcode/federated/tests/test_data/all-presets/foo/aboutcode-federated-config.yml

@@ -933,7 +933,7 @@ data_clusters:
     data_license: CC-BY-4.0
     data_maintainers: []
   - data_kind: security_advisories
-    datafile_path_template: '{/namespace}/{name}/{version}/advisories.json'
+    datafile_path_template: '{/namespace}/{name}/{version}/advisories.yml'
     purl_type_configs:
       - purl_type: default
         number_of_repos: 1

docs/source/conf.py

@@ -40,6 +40,7 @@
     "https://nvd.nist.gov/products/cpe",
     "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
     "http://ftp.suse.com/pub/projects/security/yaml/",
+    r"https://nixos\.wiki/",  # NixOS wiki blocks CI bots with 403
 ]
 
 # Add any Sphinx extension module names here, as strings. They can be

vulnerabilities/improvers/__init__.py

@@ -31,6 +31,7 @@
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
+from vulnerabilities.pipelines.v2_improvers import relate_severities
 from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
 from vulnerabilities.utils import create_registry
 
@@ -72,5 +73,6 @@
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
         collect_ssvc_trees.CollectSSVCPipeline,
+        relate_severities.RelateSeveritiesPipeline,
     ]
 )

vulnerabilities/migrations/0114_advisoryv2_related_advisory_severities.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.2.11 on 2026-02-17 13:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0113_advisoryv2_precedence"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="related_advisory_severities",
+            field=models.ManyToManyField(
+                help_text="Related advisories that are used to calculate the severity of this advisory.",
+                related_name="related_to_advisory_severities",
+                to="vulnerabilities.advisoryv2",
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -2344,13 +2344,14 @@ def save(self, *args, **kwargs):
     @property
     def pipeline_class(self):
         """Return the pipeline class."""
+
         from vulnerabilities.importers import IMPORTERS_REGISTRY
         from vulnerabilities.improvers import IMPROVERS_REGISTRY
+        from vulnerabilities.pipelines.exporters import EXPORTERS_REGISTRY
+
+        pipeline_registry = IMPORTERS_REGISTRY | IMPROVERS_REGISTRY | EXPORTERS_REGISTRY
 
-        if self.pipeline_id in IMPROVERS_REGISTRY:
-            return IMPROVERS_REGISTRY.get(self.pipeline_id)
-        if self.pipeline_id in IMPORTERS_REGISTRY:
-            return IMPORTERS_REGISTRY.get(self.pipeline_id)
+        return pipeline_registry[self.pipeline_id]
 
     @property
     def description(self):
@@ -2997,6 +2998,12 @@ class AdvisoryV2(models.Model):
         help_text="Precedence indicates the priority of advisory from different datasources. It is determined based on the reliability of the datasource and how close it is to the source.",
     )
 
+    related_advisory_severities = models.ManyToManyField(
+        "AdvisoryV2",
+        related_name="related_to_advisory_severities",
+        help_text="Related advisories that are used to calculate the severity of this advisory.",
+    )
+
     @property
     def risk_score(self):
         """

vulnerabilities/pipelines/__init__.py

@@ -141,6 +141,10 @@ def log(self, message, level=logging.INFO):
 class VulnerableCodePipeline(PipelineDefinition, BasePipelineRun):
     pipeline_id = None  # Unique Pipeline ID
 
+    # When set to true pipeline is run only once.
+    # To rerun onetime pipeline reset is_active field to True via migration.
+    run_once = False
+
     def on_failure(self):
         """
         Tasks to run in the event that pipeline execution fails.

vulnerabilities/pipelines/exporters/__init__.py

@@ -0,0 +1,16 @@
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from vulnerabilities.pipelines.exporters import federate_vulnerabilities
+from vulnerabilities.utils import create_registry
+
+EXPORTERS_REGISTRY = create_registry(
+    [
+        federate_vulnerabilities.FederatePackageVulnerabilities,
+    ]
+)