Add ImpactedPackage model to track AffectedPackageV2 data

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/migrations/0100_remove_advisoryv2_affecting_packages_and_more.py

@@ -0,0 +1,87 @@
+# Generated by Django 4.2.22 on 2025-07-18 16:52
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0099_advisoryv2_original_advisory_text"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="advisoryv2",
+            name="affecting_packages",
+        ),
+        migrations.RemoveField(
+            model_name="advisoryv2",
+            name="fixed_by_packages",
+        ),
+        migrations.CreateModel(
+            name="ImpactedPackage",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "base_purl",
+                    models.CharField(
+                        blank=True,
+                        help_text="Version less PURL related to impacted range.",
+                        max_length=500,
+                    ),
+                ),
+                (
+                    "affecting_vers",
+                    models.CharField(
+                        blank=True,
+                        help_text="VersionRange expression for package vulnerable to this impact.",
+                        max_length=500,
+                    ),
+                ),
+                (
+                    "fixed_vers",
+                    models.CharField(
+                        blank=True,
+                        help_text="VersionRange expression for packages fixing the vulnerable package in this impact.",
+                        max_length=500,
+                    ),
+                ),
+                (
+                    "advisory",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="impacted_packages",
+                        to="vulnerabilities.advisoryv2",
+                    ),
+                ),
+                (
+                    "affecting_packages",
+                    models.ManyToManyField(
+                        help_text="Packages vulnerable to this impact.",
+                        related_name="affected_in_impacts",
+                        to="vulnerabilities.packagev2",
+                    ),
+                ),
+                (
+                    "fixed_by_packages",
+                    models.ManyToManyField(
+                        help_text="Packages vulnerable to this impact.",
+                        related_name="fixed_in_impacts",
+                        to="vulnerabilities.packagev2",
+                    ),
+                ),
+            ],
+            options={
+                "indexes": [
+                    models.Index(fields=["affecting_vers"], name="vulnerabili_affecti_0092a7_idx"),
+                    models.Index(fields=["fixed_vers"], name="vulnerabili_fixed_v_0fda9f_idx"),
+                ],
+            },
+        ),
+    ]

vulnerabilities/models.py

@@ -2750,18 +2750,6 @@ class AdvisoryV2(models.Model):
         help_text="Raw advisory data as collected from the upstream datasource.",
     )
 
-    affecting_packages = models.ManyToManyField(
-        "PackageV2",
-        related_name="affected_by_advisories",
-        help_text="A list of packages that are affected by this advisory.",
-    )
-
-    fixed_by_packages = models.ManyToManyField(
-        "PackageV2",
-        related_name="fixing_advisories",
-        help_text="A list of packages that are reported by this advisory.",
-    )
-
     status = models.IntegerField(
         choices=AdvisoryStatusType.choices, default=AdvisoryStatusType.PUBLISHED
     )
@@ -2816,18 +2804,17 @@ def get_absolute_url(self):
         """
         return reverse("advisory_details", args=[self.avid])
 
-    def to_advisory_data(self) -> "AdvisoryDataV2":
-        from vulnerabilities.importer import AdvisoryDataV2
-        from vulnerabilities.importer import AffectedPackage
+    def to_advisory_data(self) -> "AdvisoryData":
+        from vulnerabilities.importer import AdvisoryData
         from vulnerabilities.importer import ReferenceV2
 
-        return AdvisoryDataV2(
+        return AdvisoryData(
             aliases=[item.alias for item in self.aliases.all()],
             summary=self.summary,
             affected_packages=[
-                AffectedPackage.from_dict(pkg) for pkg in self.affected_packages if pkg
+                impacted.to_affected_package() for impacted in self.impacted_packages.all()
             ],
-            references=[ReferenceV2.from_dict(ref) for ref in self.references],
+            references_v2=[ReferenceV2.from_dict(ref) for ref in self.references],
             date_published=self.date_published,
             weaknesses=self.weaknesses,
             severities=self.severities,
@@ -2841,66 +2828,69 @@ def get_aliases(self):
         """
         return self.aliases.all()
 
-    def aggregate_fixed_and_affected_packages(self):
-        from vulnerabilities.utils import get_purl_version_class
-
-        sorted_fixed_by_packages = self.fixed_by_packages.filter(is_ghost=False).order_by(
-            "type", "namespace", "name", "qualifiers", "subpath"
-        )
-
-        if sorted_fixed_by_packages:
-            sorted_fixed_by_packages.first().calculate_version_rank
+    alias = get_aliases
 
-        sorted_affected_packages = self.affecting_packages.all()
 
-        if sorted_affected_packages:
-            sorted_affected_packages.first().calculate_version_rank
+class ImpactedPackage(models.Model):
+    """
+    Represents a single impact for an advisory, including affected range and fixed version and
+    associated package relations.
+    """
 
-        grouped_fixed_by_packages = {
-            key: list(group)
-            for key, group in groupby(
-                sorted_fixed_by_packages,
-                key=attrgetter("type", "namespace", "name", "qualifiers", "subpath"),
-            )
-        }
+    advisory = models.ForeignKey(
+        AdvisoryV2,
+        related_name="impacted_packages",
+        on_delete=models.CASCADE,
+    )
 
-        all_affected_fixed_by_matches = []
+    base_purl = models.CharField(
+        max_length=500,
+        blank=True,
+        help_text="Version less PURL related to impacted range.",
+    )
 
-        for sorted_affected_package in sorted_affected_packages:
-            affected_fixed_by_matches = {
-                "affected_package": sorted_affected_package,
-                "matched_fixed_by_packages": [],
-            }
+    affecting_vers = models.CharField(
+        max_length=500,
+        blank=True,
+        help_text="VersionRange expression for package vulnerable to this impact.",
+    )
 
-            # Build the key to find matching group
-            key = (
-                sorted_affected_package.type,
-                sorted_affected_package.namespace,
-                sorted_affected_package.name,
-                sorted_affected_package.qualifiers,
-                sorted_affected_package.subpath,
-            )
+    fixed_vers = models.CharField(
+        max_length=500,
+        blank=True,
+        help_text="VersionRange expression for packages fixing the vulnerable package in this impact.",
+    )
 
-            # Get matching group from pre-grouped fixed_by_packages
-            matching_fixed_packages = grouped_fixed_by_packages.get(key, [])
+    affecting_packages = models.ManyToManyField(
+        "PackageV2",
+        related_name="affected_in_impacts",
+        help_text="Packages vulnerable to this impact.",
+    )
 
-            # Get version classes for comparison
-            affected_version_class = get_purl_version_class(sorted_affected_package)
-            affected_version = affected_version_class(sorted_affected_package.version)
+    fixed_by_packages = models.ManyToManyField(
+        "PackageV2",
+        related_name="fixed_in_impacts",
+        help_text="Packages vulnerable to this impact.",
+    )
 
-            # Compare versions and filter valid matches
-            matched_fixed_by_packages = [
-                fixed_by_package.purl
-                for fixed_by_package in matching_fixed_packages
-                if get_purl_version_class(fixed_by_package)(fixed_by_package.version)
-                > affected_version
-            ]
+    class Meta:
+        indexes = [
+            models.Index(fields=["affecting_vers"]),
+            models.Index(fields=["fixed_vers"]),
+        ]
 
-            affected_fixed_by_matches["matched_fixed_by_packages"] = matched_fixed_by_packages
-            all_affected_fixed_by_matches.append(affected_fixed_by_matches)
-        return sorted_fixed_by_packages, sorted_affected_packages, all_affected_fixed_by_matches
+    def to_affected_package(self):
+        """Return `AffectedPackageV2` data from the impact."""
+        from vulnerabilities.importer import AffectedPackageV2
+        from vulnerabilities.utils import purl_to_dict
 
-    alias = get_aliases
+        return AffectedPackageV2.from_dict(
+            affected_pkg={
+                "package": purl_to_dict(self.base_purl),
+                "affected_version_range": self.affecting_vers,
+                "fixed_version_range": self.fixed_vers,
+            }
+        )
 
 
 class ToDoRelatedAdvisory(models.Model):