Add an api test

Use generate_patch_url function from package url
Add a filters for api ( package-commit-patches, patches )

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/api_v2.py

@@ -347,6 +347,7 @@ class Meta:
             "id",
             "commit_hash",
             "vcs_url",
+            "commit_url",
             "patch_url",
             "introduced_in_advisories",
             "fixed_in_advisories",
@@ -365,7 +366,7 @@ def serialize_impacts(impacts):
         unique_pairs = set()
         for impact in impacts:
             unique_pairs.add((impact.base_purl, impact.advisory.avid))
-        return [{"package": base_purl, "avid": avid} for base_purl, avid in unique_pairs]
+        return [{"purl": base_purl, "avid": avid} for base_purl, avid in unique_pairs]
 
 
 class PatchSerializer(serializers.ModelSerializer):
@@ -376,7 +377,7 @@ class Meta:
         fields = ["id", "patch_url", "in_advisories"]
 
     def get_in_advisories(self, obj):
-        return [{"avid": advisory.avid} for advisory in obj.advisories.all()]
+        return [advisory.avid for advisory in obj.advisories.all()]
 
 
 class PackageV3Serializer(serializers.ModelSerializer):
@@ -935,63 +936,65 @@ def get_queryset(self):
         return queryset
 
 
+class PackageCommitPatchFilter(filters.FilterSet):
+    advisory_avid = filters.CharFilter(method="filter_by_advisory", label="Advisory ID")
+    purl = filters.CharFilter(method="filter_by_purl", label="Purl")
+    commit_hash = filters.CharFilter(lookup_expr="exact", label="Commit Hash")
+    vcs_url = filters.CharFilter(lookup_expr="icontains", label="VCS URL")
+
+    class Meta:
+        model = PackageCommitPatch
+        fields = ["id", "advisory_avid", "purl", "commit_hash", "vcs_url"]
+
+    def filter_by_advisory(self, queryset, name, value):
+        return queryset.filter(
+            Q(introduced_in_impacts__advisory__avid=value)
+            | Q(fixed_in_impacts__advisory__avid=value)
+        ).distinct()
+
+    def filter_by_purl(self, queryset, name, value):
+        return queryset.filter(
+            Q(introduced_in_impacts__base_purl__icontains=value)
+            | Q(fixed_in_impacts__base_purl__icontains=value)
+        ).distinct()
+
+
 class PackageCommitPatchViewSet(viewsets.ReadOnlyModelViewSet):
     """
-    API endpoint that allows viewing PackageCommitPatch entries.
+    API endpoint that allows viewing PackageCommitPatch entries
     """
 
     serializer_class = PackageCommitPatchSerializer
     throttle_classes = [AnonRateThrottle, PermissionBasedUserRateThrottle]
+    filter_backends = [filters.DjangoFilterBackend]
+    filterset_class = PackageCommitPatchFilter
 
     def get_queryset(self):
-        queryset = PackageCommitPatch.objects.prefetch_related(
+        return PackageCommitPatch.objects.prefetch_related(
             "introduced_in_impacts__advisory", "fixed_in_impacts__advisory"
-        )
+        ).order_by("id")
 
-        pk = self.request.query_params.get("id")
-        if pk:
-            queryset = queryset.filter(id=pk)
 
-        advisory_id = self.request.query_params.get("advisory_id")
-        if advisory_id:
-            queryset = queryset.filter(
-                Q(introduced_in_impacts__advisory__avid=advisory_id)
-                | Q(fixed_in_impacts__advisory__avid=advisory_id)
-            ).distinct()
+class PatchFilter(filters.FilterSet):
+    advisory_avid = filters.CharFilter(field_name="advisories__avid", label="Advisory ID")
 
-        purl = self.request.query_params.get("purl")
-        if purl:
-            queryset = queryset.filter(
-                Q(introduced_in_impacts__base_purl__icontains=purl)
-                | Q(fixed_in_impacts__base_purl__icontains=purl)
-            ).distinct()
-
-        return queryset.order_by("id")
+    class Meta:
+        model = Patch
+        fields = ["id", "advisory_avid"]
 
 
 class PatchViewSet(viewsets.ReadOnlyModelViewSet):
     """
-    API endpoint that allows viewing PackageCommitPatch entries.
+    API endpoint that allows viewing Patch entries
     """
 
     serializer_class = PatchSerializer
     throttle_classes = [AnonRateThrottle, PermissionBasedUserRateThrottle]
+    filter_backends = [filters.DjangoFilterBackend]
+    filterset_class = PatchFilter
 
     def get_queryset(self):
-        queryset = Patch.objects.all()
-
-        pk = self.request.query_params.get("id")
-        if pk:
-            queryset = queryset.filter(id=pk)
-
-        advisory_id = self.request.query_params.get("advisory_id")
-        if advisory_id:
-            queryset = queryset.filter(advisory__advisory_id=advisory_id).distinct()
-
-        purl = self.request.query_params.get("purl")
-        if purl:
-            queryset = queryset.filter(package__package_url__icontains=purl).distinct()
-        return queryset
+        return Patch.objects.all()
 
 
 class CodeFixV2ViewSet(viewsets.ReadOnlyModelViewSet):

vulnerabilities/tests/test_api_v2.py

@@ -23,8 +23,11 @@
 from vulnerabilities.models import Alias
 from vulnerabilities.models import ApiUser
 from vulnerabilities.models import CodeFixV2
+from vulnerabilities.models import ImpactedPackage
 from vulnerabilities.models import Package
+from vulnerabilities.models import PackageCommitPatch
 from vulnerabilities.models import PackageV2
+from vulnerabilities.models import Patch
 from vulnerabilities.models import PipelineRun
 from vulnerabilities.models import PipelineSchedule
 from vulnerabilities.models import Vulnerability
@@ -905,3 +908,154 @@ def test_get_all_vulnerable_purls(self):
             response = self.client.get(url)
         assert response.status_code == 200
         assert "pkg:pypi/sample@1.0.0" in response.data
+
+
+class PackageCommitPatchList(APITestCase):
+    def setUp(self):
+        self.advisory = AdvisoryV2.objects.create(
+            datasource_id="test_source",
+            advisory_id="TEST-2025-001",
+            avid="test_source/TEST-2025-001",
+            unique_content_id="a" * 64,
+            url="https://example.com/advisory",
+            date_collected="2025-07-01T00:00:00Z",
+        )
+
+        self.affected_package = PackageV2.objects.from_purl(purl="pkg:github/torvalds/linux@1.0.0")
+        self.fixed_package = PackageV2.objects.from_purl(purl="pkg:github/torvalds/linux@1.0.1")
+
+        self.pkg_commit_patch1 = PackageCommitPatch.objects.create(
+            commit_hash="2e1c42391ff2556387b3cb6308b24f6f65619feb",
+            vcs_url="https://github.com/torvalds/linux",
+            patch_text="From 2e1c42391ff2556387b3cb6308b24f6f65619feb Mon Sep 17 00:00:00 2001...",
+        )
+
+        self.pkg_commit_patch2 = PackageCommitPatch.objects.create(
+            commit_hash="99253eb750fda6a644d5188fb26c43bad8d5a745",
+            vcs_url="https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
+            patch_text="From 99253eb750fda6a644d5188fb26c43bad8d5a745 Mon Sep 17 00:00:00 2001...",
+        )
+
+        self.pkg_commit_patch3 = PackageCommitPatch.objects.create(
+            commit_hash="f043bfc98c193c284e2cd768fefabe18ac2fed9b",
+            vcs_url="https://github.com/torvalds/linux",
+            patch_text="From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001...",
+        )
+
+        self.impacted_package1 = ImpactedPackage.objects.create(
+            base_purl="pkg:github/torvalds/linux",
+            advisory=self.advisory,
+        )
+
+        self.impacted_package2 = ImpactedPackage.objects.create(
+            base_purl="pkg:generic/git.kernel.org/pub/scm/linux/kernel",
+            advisory=self.advisory,
+        )
+
+        self.impacted_package1.fixed_by_package_commit_patches.add(self.pkg_commit_patch1)
+        self.impacted_package1.introduced_by_package_commit_patches.add(self.pkg_commit_patch3)
+        self.impacted_package2.fixed_by_package_commit_patches.add(self.pkg_commit_patch2)
+
+        self.user = ApiUser.objects.create_api_user(username="e@mail.com")
+        self.auth = f"Token {self.user.auth_token.key}"
+        self.client = APIClient(enforce_csrf_checks=True)
+        self.client.credentials(HTTP_AUTHORIZATION=self.auth)
+        self.url = reverse("package-commit-patch-list")
+
+    def test_package_commit_patches_list(self):
+        response = self.client.get(self.url)
+        assert response.status_code == 200
+        results = response.json().get("results", response.json())
+        assert len(results) == 3
+        patch_data = results[0]
+        assert patch_data["vcs_url"] == self.pkg_commit_patch1.vcs_url
+        assert patch_data["commit_hash"] == self.pkg_commit_patch1.commit_hash
+        assert patch_data["fixed_in_advisories"] == [
+            {"avid": self.advisory.avid, "purl": self.impacted_package1.base_purl}
+        ]
+        assert patch_data["introduced_in_advisories"] == []
+
+    def test_filter_by_commit_hash(self):
+        response = self.client.get(f"{self.url}?commit_hash={self.pkg_commit_patch1.commit_hash}")
+        results = response.json().get("results", response.json())
+        assert len(results) == 1
+
+        response = self.client.get(f"{self.url}?commit_hash=test")
+        results = response.json().get("results", response.json())
+        assert len(results) == 0
+
+    def test_filter_by_vcs_url(self):
+        response = self.client.get(f"{self.url}?vcs_url={self.pkg_commit_patch1.vcs_url}")
+        results = response.json().get("results", response.json())
+        assert len(results) == 2
+
+        response = self.client.get(f"{self.url}?vcs_url=test")
+        results = response.json().get("results", response.json())
+        assert len(results) == 0
+
+    def test_filter_by_advisory_avid(self):
+        response = self.client.get(f"{self.url}?advisory_avid={self.advisory.avid}")
+        results = response.json().get("results", response.json())
+        assert len(results) == 3
+
+        response = self.client.get(f"{self.url}?advisory_avid=test_source/DOES-NOT-EXIST")
+        results = response.json().get("results", response.json())
+        assert len(results) == 0
+
+    def test_filter_by_purl(self):
+        response = self.client.get(f"{self.url}?purl=pkg:github/torvalds/linux")
+        results = response.json().get("results", response.json())
+        assert len(results) == 2
+        assert any(r["id"] == self.pkg_commit_patch1.id for r in results)
+
+        response = self.client.get(f"{self.url}?purl=pkg:github/aboutcode-org")
+        results = response.json().get("results", response.json())
+        assert len(results) == 0
+
+    def test_filter_by_id(self):
+        response = self.client.get(f"{self.url}?id={self.pkg_commit_patch1.id}")
+        results = response.json().get("results", response.json())
+        assert len(results) == 1
+        assert results[0]["id"] == self.pkg_commit_patch1.id
+
+        response = self.client.get(f"{self.url}?id=51646849")
+        results = response.json().get("results", response.json())
+        assert len(results) == 0
+
+
+class PatchList(APITestCase):
+    def setUp(self):
+        self.advisory = AdvisoryV2.objects.create(
+            datasource_id="test_source",
+            advisory_id="TEST-2025-001",
+            avid="test_source/TEST-2025-001",
+            unique_content_id="a" * 64,
+            url="https://example.com/advisory",
+            date_collected="2025-07-01T00:00:00Z",
+        )
+
+        self.patch = Patch.objects.create(
+            patch_url="https://lore.kernel.org/patchwork/patch/1086060/", patch_text="some text"
+        )
+
+        self.advisory.patches.add(self.patch)
+
+        self.user = ApiUser.objects.create_api_user(username="e@mail.com")
+        self.auth = f"Token {self.user.auth_token.key}"
+        self.client = APIClient(enforce_csrf_checks=True)
+        self.client.credentials(HTTP_AUTHORIZATION=self.auth)
+        self.url = reverse("patches-list")
+
+    def test_patch_list(self):
+        response = self.client.get(self.url)
+        assert response.status_code == 200
+        results = response.json().get("results", response.json())
+        assert len(results) == 1
+        assert results[0]["patch_url"] == self.patch.patch_url
+        assert results == [
+            {
+                "id": 1,
+                "patch_url": "https://lore.kernel.org/patchwork/patch/1086060/",
+                "in_advisories": ["test_source/TEST-2025-001"],
+            }
+        ]

vulnerabilities/utils.py

@@ -34,6 +34,7 @@
 from cwe2.database import Database
 from cwe2.database import InvalidCWEError
 from packageurl import PackageURL
+from packageurl.contrib import purl2url
 from packageurl.contrib.django.utils import without_empty_values
 from packageurl.contrib.purl2url import purl2url
 from packageurl.contrib.url2purl import url2purl
@@ -914,33 +915,35 @@ def generate_commit_url(vcs_url, commit_hash):
     if not purl:
         return
 
-    base_purl = get_core_purl(str(purl))
-    purl_with_version = PackageURL(
-        type=base_purl.type, namespace=base_purl.namespace, name=base_purl.name, version=commit_hash
+    new_purl = PackageURL(
+        type=purl.type,
+        namespace=purl.namespace,
+        name=purl.name,
+        version=commit_hash,
+        qualifiers=purl.qualifiers,
     )
-    commit_url = purl2url(str(purl_with_version))
-    return commit_url
+
+    return purl2url.get_commit_url(str(new_purl))
 
 
 def generate_patch_url(vcs_url, commit_hash):
     """
     Generate patch URL from VCS URL and commit hash.
     """
+
     if not vcs_url or not commit_hash:
-        return None
+        return
+
+    purl = url2purl(vcs_url)
+    if not purl:
+        return
+
+    new_purl = PackageURL(
+        type=purl.type,
+        namespace=purl.namespace,
+        name=purl.name,
+        version=commit_hash,
+        qualifiers=purl.qualifiers,
+    )
 
-    vcs_url = vcs_url.rstrip("/")
-
-    if vcs_url.startswith("https://github.com"):
-        return f"{vcs_url}/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://gitlab.com"):
-        return f"{vcs_url}/-/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://bitbucket.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}/raw"
-    elif vcs_url.startswith("https://codeberg.org"):
-        return f"{vcs_url}/-/commit/{commit_hash}.patch"
-    elif vcs_url.startswith("https://android.googlesource.com"):
-        return f"{vcs_url}/+/{commit_hash}%5E%21?format=TEXT"
-    elif vcs_url.startswith("https://git.kernel.org"):
-        return f"{vcs_url}/patch/?id={commit_hash}"
-    return
+    return purl2url.get_patch_url(str(new_purl))

vulnerablecode/urls.py

@@ -75,7 +75,7 @@ def __init__(self, *args, **kwargs):
 api_v3_router.register("packages", PackageV3ViewSet, basename="package-v3")
 
 api_v3_router.register(
-    "package_commit_patches", PackageCommitPatchViewSet, basename="package_commit_patch"
+    "package-commit-patches", PackageCommitPatchViewSet, basename="package-commit-patch"
 )
 api_v3_router.register("patches", PatchViewSet, basename="patches")