Add on impacted packages model

TG1999 · TG1999 · commit fef52fe6521c · 2026-05-31T00:29:24.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/api_v3.py b/vulnerabilities/api_v3.py
@@ -450,11 +450,13 @@ def create(self, request, *args, **kwargs):
         max_advisories = serializer.validated_data["max_advisories"]
 
         if not purls:
-            impacted = ImpactedPackageAffecting.objects.filter(package_id=OuterRef("id"))
+            latest_impacts = ImpactedPackageAffecting.objects.filter(
+                package_id=OuterRef("pk"),
+                impacted_package__is_latest=True,
+            )
 
             query = (
-                PackageV2.objects.annotate(has_vuln=Exists(impacted))
-                .filter(has_vuln=True)
+                PackageV2.objects.filter(Exists(latest_impacts))
                 .values_list("package_url", flat=True)
                 .order_by("package_url")
             )
diff --git a/vulnerabilities/migrations/0135_impactedpackage_is_latest.py b/vulnerabilities/migrations/0135_impactedpackage_is_latest.py
@@ -0,0 +1,22 @@
+# Generated by Django 5.2.11 on 2026-05-30 17:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0134_alter_advisoryset_unique_together"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="is_latest",
+            field=models.BooleanField(
+                db_index=True,
+                default=False,
+                help_text="Indicates whether this is the latest impact for the advisory.",
+            ),
+        ),
+    ]
diff --git a/vulnerabilities/migrations/0136_populate_impactedpackage_is_latest.py b/vulnerabilities/migrations/0136_populate_impactedpackage_is_latest.py
@@ -0,0 +1,22 @@
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0135_impactedpackage_is_latest"),
+    ]
+
+
+    def mark_latest_impacted_packages(apps, schema_editor):
+        AdvisoryV2 = apps.get_model("vulnerabilities", "AdvisoryV2")
+        ImpactedPackage = apps.get_model("vulnerabilities", "ImpactedPackage")
+
+        print("\nMarking impacted packages for latest V2 advisories as is_latest=True.")
+        latest_advisory_ids = AdvisoryV2.objects.filter(is_latest=True).values_list("id", flat=True)
+        ImpactedPackage.objects.filter(advisory_id__in=latest_advisory_ids).update(is_latest=True)
+
+
+    operations = [
+        migrations.RunPython(code=mark_latest_impacted_packages, reverse_code=migrations.RunPython.noop),
+    ]
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -2934,53 +2934,63 @@ def latest_for_avids(self, avids):
         return self.filter(avid__in=avids).latest_per_avid()
 
     def latest_affecting_advisories_for_purl(self, purl):
-        adv_ids = ImpactedPackageAffecting.objects.filter(package__package_url=purl).values_list(
-            "impacted_package__advisory_id",
-            flat=True,
-        )
+        adv_ids = ImpactedPackage.objects.filter(
+            affecting_packages__package_url=purl, is_latest=True
+        ).values_list("advisory_id", flat=True)
+
         return self.filter(id__in=Subquery(adv_ids)).latest_per_avid()
 
     def latest_affecting_advisories_for_purls(self, purls):
-        adv_ids = ImpactedPackageAffecting.objects.filter(
-            package__package_url__in=purls
+        adv_ids = ImpactedPackage.objects.filter(
+            affecting_packages__package_url__in=purls, is_latest=True
         ).values_list(
-            "impacted_package__advisory_id",
+            "advisory_id",
             flat=True,
         )
         return self.filter(id__in=Subquery(adv_ids)).latest_per_avid()
 
     def latest_affecting_advisories_for_packages(self, purls):
-        adv_ids = ImpactedPackageAffecting.objects.filter(package__in=purls).values_list(
-            "impacted_package__advisory_id",
+        adv_ids = ImpactedPackage.objects.filter(
+            affecting_packages__package_url__in=purls, is_latest=True
+        ).values_list(
+            "advisory_id",
             flat=True,
         )
         return self.filter(id__in=Subquery(adv_ids)).latest_per_avid()
 
     def latest_fixed_by_advisories_for_purl(self, purl):
-        adv_ids = ImpactedPackageFixedBy.objects.filter(package__package_url=purl).values_list(
-            "impacted_package__advisory_id",
+        adv_ids = ImpactedPackage.objects.filter(
+            fixed_by_packages__package_url=purl, is_latest=True
+        ).values_list(
+            "advisory_id",
             flat=True,
         )
         return self.filter(id__in=Subquery(adv_ids)).latest_per_avid()
 
     def latest_fixed_by_advisories_for_purls(self, purls):
-        adv_ids = ImpactedPackageFixedBy.objects.filter(package__package_url__in=purls).values_list(
-            "impacted_package__advisory_id",
+        adv_ids = ImpactedPackage.objects.filter(
+            fixed_by_packages__package_url__in=purls, is_latest=True
+        ).values_list(
+            "advisory_id",
             flat=True,
         )
 
         return self.filter(id__in=Subquery(adv_ids)).latest_per_avid()
 
     def latest_advisories_for_purls(self, purls):
         adv_ids = (
-            ImpactedPackageAffecting.objects.filter(package__package_url__in=purls)
+            ImpactedPackage.objects.filter(
+                affecting_packages__package_url__in=purls, is_latest=True
+            )
             .values_list(
-                "impacted_package__advisory_id",
+                "advisory_id",
                 flat=True,
             )
             .union(
-                ImpactedPackageFixedBy.objects.filter(package__package_url__in=purls).values_list(
-                    "impacted_package__advisory_id",
+                ImpactedPackage.objects.filter(
+                    fixed_by_packages__package_url__in=purls, is_latest=True
+                ).values_list(
+                    "advisory_id",
                     flat=True,
                 )
             )
@@ -2991,14 +3001,16 @@ def latest_advisories_for_purls(self, purls):
 
     def latest_advisories_for_purl(self, purl):
         adv_ids = (
-            ImpactedPackageAffecting.objects.filter(package__package_url=purl)
+            ImpactedPackage.objects.filter(affecting_packages__package_url=purl, is_latest=True)
             .values_list(
-                "impacted_package__advisory_id",
+                "advisory_id",
                 flat=True,
             )
             .union(
-                ImpactedPackageFixedBy.objects.filter(package__package_url=purl).values_list(
-                    "impacted_package__advisory_id",
+                ImpactedPackage.objects.filter(
+                    fixed_by_packages__package_url=purl, is_latest=True
+                ).values_list(
+                    "advisory_id",
                     flat=True,
                 )
             )
@@ -3352,6 +3364,14 @@ class ImpactedPackage(models.Model):
         help_text="Timestamp of the last successful vers range unfurl.",
     )
 
+    is_latest = models.BooleanField(
+        default=False,
+        blank=False,
+        null=False,
+        db_index=True,
+        help_text="Indicates whether this is the latest impact for the advisory.",
+    )
+
     def to_dict(self):
         from vulnerabilities.utils import purl_to_dict
 
diff --git a/vulnerabilities/pipes/advisory.py b/vulnerabilities/pipes/advisory.py
@@ -374,6 +374,8 @@ def insert_advisory_v2(
     advisory_obj.risk_score = round(risk_score, 1) if risk_score is not None else None
     advisory_obj.save()
 
+    # Set all impacts as is_latest=False for the advisory before creating new impacts with is_latest=True. This ensures that only the impacts related to the latest advisory are marked as latest.
+    ImpactedPackage.objects.filter(advisory__avid=advisory_obj.avid).update(is_latest=False)
     for affected_pkg in advisory.affected_packages:
         impact = ImpactedPackage.objects.create(
             advisory=advisory_obj,
@@ -386,6 +388,7 @@ def insert_advisory_v2(
             fixed_vers=(
                 str(affected_pkg.fixed_version_range) if affected_pkg.fixed_version_range else None
             ),
+            is_latest=True,
         )
         package_affected_purls, package_fixed_purls = get_exact_purls_v2(
             affected_package=affected_pkg,
diff --git a/vulnerabilities/pipes/export.py b/vulnerabilities/pipes/export.py
@@ -25,7 +25,9 @@ def package_prefetched_qs(checkpoint):
         .prefetch_related(
             Prefetch(
                 "affected_in_impacts",
-                queryset=ImpactedPackage.objects.only("advisory_id").prefetch_related(
+                queryset=ImpactedPackage.objects.filter(is_latest=True)
+                .only("advisory_id")
+                .prefetch_related(
                     Prefetch(
                         "advisory",
                         queryset=AdvisoryV2.objects.only("avid"),
@@ -34,7 +36,9 @@ def package_prefetched_qs(checkpoint):
             ),
             Prefetch(
                 "fixed_in_impacts",
-                queryset=ImpactedPackage.objects.only("advisory_id").prefetch_related(
+                queryset=ImpactedPackage.objects.filter(is_latest=True)
+                .only("advisory_id")
+                .prefetch_related(
                     Prefetch(
                         "advisory",
                         queryset=AdvisoryV2.objects.only("avid"),
diff --git a/vulnerabilities/pipes/group_advisories.py b/vulnerabilities/pipes/group_advisories.py
@@ -63,9 +63,7 @@ def delete_and_save_advisory_set(groups, package, relation=None):
     print(f"Successfully saved advisory sets for package: {package.purl}")
 
 
-def group_advisory_for_package(
-    package, logger=None
-):
+def group_advisory_for_package(package, logger=None):
     """
     Group advisories for a given package and save the advisory sets for the package.
     """
