Adjust API and UI for new grouping

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/api_v3.py

@@ -20,13 +20,16 @@
 from rest_framework.throttling import AnonRateThrottle
 
 from vulnerabilities.models import AdvisoryReference
+from vulnerabilities.models import AdvisorySet
 from vulnerabilities.models import AdvisorySeverity
 from vulnerabilities.models import AdvisoryV2
 from vulnerabilities.models import AdvisoryWeakness
 from vulnerabilities.models import ImpactedPackageAffecting
 from vulnerabilities.models import PackageV2
 from vulnerabilities.throttling import PermissionBasedUserRateThrottle
-from vulnerabilities.utils import group_advisories_by_content
+from vulnerabilities.utils import TYPES_WITH_MULTIPLE_IMPORTERS
+from vulnerabilities.utils import get_advisories_from_groups
+from vulnerabilities.utils import merge_and_save_grouped_advisories
 
 
 class PackageQuerySerializer(serializers.Serializer):
@@ -210,6 +213,32 @@ def get_affected_by_vulnerabilities(self, package):
         """Return a dictionary with advisory as keys and their details, including fixed_by_packages."""
         advisories_qs = AdvisoryV2.objects.latest_affecting_advisories_for_purl(package.package_url)
 
+        advisories = []
+
+        is_grouped = AdvisorySet.objects.filter(package=package, relation_type="affecting").exists()
+
+        if is_grouped:
+            affected_by_advisories_qs = AdvisorySet.objects.filter(
+                package=package, relation_type="affecting"
+            ).select_related("primary_advisory")
+
+            affected_groups = [
+                (list(adv.aliases.all()), adv.primary_advisory, "")
+                for adv in affected_by_advisories_qs
+            ]
+
+            advisories = get_advisories_from_groups(affected_groups)
+            return self.return_advisories_data(package, advisories_qs, advisories)
+
+        if package.type in TYPES_WITH_MULTIPLE_IMPORTERS:
+            advisories_qs = advisories_qs.prefetch_related(
+                "aliases",
+                "impacted_packages__affecting_packages",
+                "impacted_packages__fixed_by_packages",
+            )
+            advisories = merge_and_save_grouped_advisories(package, advisories_qs, "affecting")
+            return self.return_advisories_data(package, advisories_qs, advisories)
+
         advisories_ids = advisories_qs.only("id")
 
         advisories_ids = list(advisories_ids[:101])
@@ -227,20 +256,19 @@ def get_affected_by_vulnerabilities(self, package):
 
         impact_by_avid = {impact.advisory.avid: impact for impact in impacts}
 
-        grouped = group_advisories_by_content(advisories_qs)
-
         result = []
-        for entry in grouped.values():
-            primary = entry["primary"]
-            impact = impact_by_avid.get(primary.avid)
+
+        for advisory in advisories_qs:
+            impact = impact_by_avid.get(advisory.avid)
             if not impact:
                 continue
 
             result.append(
                 {
-                    "advisory_id": primary.avid,
+                    "advisory_id": advisory.advisory_id.split("/")[-1],
+                    "aliases": [alias.alias for alias in advisory.aliases.all()],
+                    "summary": advisory.summary,
                     "fixed_by_packages": [pkg.purl for pkg in impact.fixed_by_packages.all()],
-                    "duplicate_advisory_ids": [a.avid for a in entry["secondary"]],
                 }
             )
 
@@ -249,21 +277,82 @@ def get_affected_by_vulnerabilities(self, package):
     def get_fixing_vulnerabilities(self, package):
         advisories_qs = AdvisoryV2.objects.latest_fixed_by_advisories_for_purl(package.package_url)
 
+        advisories = []
+
+        is_grouped = AdvisorySet.objects.filter(package=package, relation_type="fixing").exists()
+
+        if is_grouped:
+            fixing_advisories_qs = AdvisorySet.objects.filter(
+                package=package, relation_type="fixing"
+            ).select_related("primary_advisory")
+
+            fixing_groups = [
+                (list(adv.aliases.all()), adv.primary_advisory, "") for adv in fixing_advisories_qs
+            ]
+
+            advisories = get_advisories_from_groups(fixing_groups)
+            return self.return_fixing_advisories_data(advisories)
+
+        if package.type in TYPES_WITH_MULTIPLE_IMPORTERS:
+            advisories_qs = advisories_qs.prefetch_related(
+                "aliases",
+                "impacted_packages__affecting_packages",
+                "impacted_packages__fixed_by_packages",
+            )
+            advisories = merge_and_save_grouped_advisories(package, advisories_qs, "fixing")
+            return self.return_fixing_advisories_data(advisories)
+
         advisories_ids = advisories_qs.only("id")
 
         advisories_ids = list(advisories_ids[:101])
         if len(advisories_ids) > 100:
             return None
 
-        grouped = group_advisories_by_content(advisories_qs)
+        results = []
 
+        for advisory in advisories_qs:
+            results.append(
+                {
+                    "advisory_id": advisory.advisory_id.split("/")[-1],
+                }
+            )
+        return results
+
+    def return_fixing_advisories_data(self, advisories):
         result = []
-        for entry in grouped.values():
-            primary = entry["primary"]
+        for advisory in advisories:
             result.append(
                 {
-                    "advisory_id": primary.avid,
-                    "duplicate_advisory_ids": [a.avid for a in entry["secondary"]],
+                    "advisory_id": advisory["identifier"],
+                }
+            )
+
+        return result
+
+    def return_advisories_data(self, package, advisories_qs, advisories):
+        advisory_by_avid = {adv.avid: adv for adv in advisories_qs}
+        avids = advisory_by_avid.keys()
+
+        impacts = (
+            package.affected_in_impacts.filter(advisory__avid__in=avids)
+            .select_related("advisory")
+            .prefetch_related("fixed_by_packages")
+        )
+
+        impact_by_avid = {impact.advisory.avid: impact for impact in impacts}
+
+        result = []
+        for advisory in advisories:
+            impact = impact_by_avid.get(advisory["advisory"].avid)
+            if not impact:
+                continue
+
+            result.append(
+                {
+                    "advisory_id": advisory["identifier"],
+                    "aliases": [alias.alias for alias in advisory["aliases"]],
+                    "summary": advisory["advisory"].summary,
+                    "fixed_by_packages": [pkg.purl for pkg in impact.fixed_by_packages.all()],
                 }
             )
 

vulnerabilities/improvers/__init__.py

@@ -20,7 +20,6 @@
 from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
 from vulnerabilities.pipelines import remove_duplicate_advisories
 from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees
-from vulnerabilities.pipelines.v2_improvers import compute_advisory_content_hash
 from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
 from vulnerabilities.pipelines.v2_improvers import (
@@ -76,7 +75,6 @@
         compute_advisory_todo.ComputeToDo,
         collect_ssvc_trees.CollectSSVCPipeline,
         relate_severities.RelateSeveritiesPipeline,
-        compute_advisory_content_hash.ComputeAdvisoryContentHash,
         group_advisories_for_packages.GroupAdvisoriesForPackages,
     ]
 )

vulnerabilities/migrations/0119_remove_advisoryset_identifiers_and_more.py

@@ -0,0 +1,30 @@
+# Generated by Django 5.2.11 on 2026-03-30 08:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0118_advisoryset_advisorysetmember"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="advisoryset",
+            name="identifiers",
+        ),
+        migrations.RemoveField(
+            model_name="advisoryv2",
+            name="advisory_content_hash",
+        ),
+        migrations.AddField(
+            model_name="advisoryset",
+            name="aliases",
+            field=models.ManyToManyField(
+                help_text="A list of serializable Alias objects",
+                related_name="advisory_sets",
+                to="vulnerabilities.advisoryalias",
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -2949,7 +2949,11 @@ class AdvisorySet(models.Model):
     package = models.ForeignKey("PackageV2", on_delete=models.CASCADE)
     relation_type = models.CharField(max_length=20, choices=RELATION_TYPE_CHOICES)
 
-    identifiers = models.JSONField()
+    aliases = models.ManyToManyField(
+        AdvisoryAlias,
+        related_name="advisory_sets",
+        help_text="A list of serializable Alias objects",
+    )
 
     primary_advisory = models.ForeignKey("AdvisoryV2", on_delete=models.PROTECT)
 
@@ -3101,13 +3105,6 @@ class AdvisoryV2(models.Model):
         help_text="Related advisories that are used to calculate the severity of this advisory.",
     )
 
-    advisory_content_hash = models.CharField(
-        max_length=64,
-        blank=True,
-        null=True,
-        help_text="A unique hash computed from the content of the advisory used to identify advisories with the same content.",
-    )
-
     risk_score = models.DecimalField(
         null=True,
         blank=True,
@@ -3311,7 +3308,7 @@ def search(self, query: str = None):
         except ValueError:
             # otherwise use query as a plain string
             qs = qs.filter(package_url__icontains=query)
-        return qs.order_by("package_url")
+        return qs.order_by("package_url").order_by("-version_rank")
 
     def with_vulnerability_counts(self):
         return self.annotate(

vulnerabilities/pipelines/v2_importers/github_osv_importer.py

@@ -31,7 +31,7 @@ class GithubOSVImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://github.com/github/advisory-database/blob/main/LICENSE.md"
     repo_url = "git+https://github.com/github/advisory-database/"
 
-    precedence = 100
+    precedence = 200
 
     @classmethod
     def steps(cls):

vulnerabilities/pipelines/v2_importers/pypa_importer.py

@@ -29,7 +29,7 @@ class PyPaImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     spdx_license_expression = "CC-BY-4.0"
     license_url = "https://github.com/pypa/advisory-database/blob/main/LICENSE"
     repo_url = "git+https://github.com/pypa/advisory-database"
-    precedence = 200
+    precedence = 500
 
     @classmethod
     def steps(cls):

vulnerabilities/pipelines/v2_importers/pysec_importer.py

@@ -29,7 +29,7 @@ class PyPIImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://github.com/pypa/advisory-database/blob/main/LICENSE"
     url = "https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip"
     spdx_license_expression = "CC-BY-4.0"
-    precedence = 100
+    precedence = 300
 
     @classmethod
     def steps(cls):