Fasten up version range unfurling

TG1999 · TG1999 · commit c94a82f04773 · 2026-05-30T18:24:05.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/pipelines/v2_improvers/unfurl_version_range.py b/vulnerabilities/pipelines/v2_improvers/unfurl_version_range.py
@@ -29,6 +29,8 @@
 from vulnerabilities.pipes.fetchcode_utils import get_versions
 from vulnerabilities.pipes.group_advisories import group_advisory_for_package
 from vulnerabilities.pipes.risk_score import compute_package_risk_score
+from vulnerabilities.pipes.risk_score import compute_package_risk_score_bulk
+from vulnerabilities.utils import TYPES_WITH_MULTIPLE_IMPORTERS
 from vulnerabilities.utils import update_purl_version
 
 
@@ -164,7 +166,9 @@ def get_purl_versions(purl, cached_versions, logger):
 
 @transaction.atomic
 def bulk_create_with_m2m(purls, impact, relation, logger):
-    """Bulk create PackageV2 and also bulk populate M2M Impact and Package relationships."""
+    """Bulk create PackageV2 and also bulk populate M2M Impact and Package relationships.
+    This function assumes same base purl is used for all versions in ``purls`` list.
+    """
     if not purls:
         return 0
 
@@ -173,6 +177,31 @@ def bulk_create_with_m2m(purls, impact, relation, logger):
     if not affected_packages_v2.exists():
         return 0
 
+    affected_packages_v2.first().calculate_version_rank
+
+    if affected_packages_v2.first().type in TYPES_WITH_MULTIPLE_IMPORTERS:
+        relations = group_advisories_for_package_with_lock(
+            impact, affected_packages_v2, relation, logger
+        )
+
+    else:
+        relations = [
+            relation(impacted_package=impact, package=package) for package in affected_packages_v2
+        ]
+
+        try:
+            relation.objects.bulk_create(relations, ignore_conflicts=True)
+        except Exception as e:
+            logger(f"Error creating ImpactedPackage {relation}: {e!r} \n {traceback_format_exc()}")
+            return 0
+
+    compute_package_risk_score_bulk(affected_packages_v2)
+
+    return len(relations)
+
+
+@transaction.atomic
+def group_advisories_for_package_with_lock(impact, affected_packages_v2, relation, logger):
     affected_packages_v2 = sorted(
         affected_packages_v2,
         key=lambda p: p.purl,
@@ -214,14 +243,7 @@ def bulk_create_with_m2m(purls, impact, relation, logger):
             logger=logger,
         )
 
-        risk_score = compute_package_risk_score(pkg)
-
-        logger(f"Computed risk score {risk_score} " f"for package {pkg.purl}")
-
-        pkg.risk_score = risk_score
-        pkg.save()
-
-    return len(relations)
+    return relations
 
 
 def impacted_package_qs(cutoff_day=2):
