pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/aboutcode-org/vulnerablecode/commit/c354ac069166370493320d25f06d3bf6ace762f9

s" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-9c8f61f9f58ad7b2.css" /> Merge pull request #2276 from aboutcode-org/refactor-todo-v2 · aboutcode-org/vulnerablecode@c354ac0 · GitHub
Skip to content

Commit c354ac0

Browse files
keshav-spacekeshav-space
authored
Merge pull request #2276 from aboutcode-org/refactor-todo-v2
feat: detect advisory conflicts at package alias intersections and compute partially curated advisories
2 parents b1f4a68 + 7632915 commit c354ac0

19 files changed

Lines changed: 1247 additions & 310 deletions

setup.cfg

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,10 +98,12 @@ install_requires =
9898
django-rq==2.10.1
9999
rq-scheduler==0.13.1
100100

101+
# redhat pipeline
102+
extractcode[full]==31.0.0
103+
101104
#vulntotal
102105
python-dotenv==0.20.0
103106
texttable==1.6.4
104-
extractcode[full]==31.0.0
105107

106108
#hashid
107109
uritemplate==4.2.0

vulnerabilities/importers/__init__.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@
3232
from vulnerabilities.importers import ubuntu_usn
3333
from vulnerabilities.importers import vulnrichment
3434
from vulnerabilities.importers import xen
35+
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
3536
from vulnerabilities.pipelines import alpine_linux_importer
3637
from vulnerabilities.pipelines import github_importer
3738
from vulnerabilities.pipelines import gitlab_importer
@@ -189,3 +190,9 @@
189190
collect_fix_commits_v2.CollectGitlabFixCommitsPipeline,
190191
]
191192
)
193+
194+
TODO_EXCLUDED_PIPELINES = [
195+
key
196+
for key, value in IMPORTERS_REGISTRY.items()
197+
if issubclass(value, VulnerableCodeBaseImporterPipelineV2) and value.exclude_from_package_todo
198+
]

vulnerabilities/improvers/__init__.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
2020
from vulnerabilities.pipelines import remove_duplicate_advisories
2121
from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees
22+
from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
2223
from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
2324
from vulnerabilities.pipelines.v2_improvers import (
2425
computer_package_version_rank as compute_version_rank_v2,
@@ -72,5 +73,6 @@
7273
collect_ssvc_trees.CollectSSVCPipeline,
7374
relate_severities.RelateSeveritiesPipeline,
7475
group_advisories_for_packages.GroupAdvisoriesForPackages,
76+
compute_advisory_todo_v2.ComputeToDo,
7577
]
7678
)

vulnerabilities/migrations/0127_advisorytodov2_todorelatedadvisoryv2_and_more.py

Lines changed: 177 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,177 @@
1+
# Generated by Django 5.2.11 on 2026-05-05 11:52
2+
3+
import django.db.models.deletion
4+
import uuid
5+
from django.db import migrations, models
6+
7+
8+
class Migration(migrations.Migration):
9+
10+
dependencies = [
11+
("vulnerabilities", "0126_use_apk_scheme_for_alpine_vers"),
12+
]
13+
14+
operations = [
15+
migrations.DeleteModel(
16+
name="AdvisoryToDoV2",
17+
),
18+
migrations.DeleteModel(
19+
name="ToDoRelatedAdvisoryV2",
20+
),
21+
migrations.CreateModel(
22+
name="AdvisoryToDoV2",
23+
fields=[
24+
(
25+
"todo_id",
26+
models.UUIDField(
27+
default=uuid.uuid4, editable=False, primary_key=True, serialize=False
28+
),
29+
),
30+
(
31+
"related_advisories_id",
32+
models.CharField(
33+
help_text="SHA1 digest of the unique_content_id field of the applicable advisories.",
34+
max_length=40,
35+
),
36+
),
37+
(
38+
"alias",
39+
models.CharField(
40+
db_index=True,
41+
help_text="Alias associated with TODO advisories",
42+
max_length=50,
43+
),
44+
),
45+
(
46+
"advisories_count",
47+
models.IntegerField(
48+
db_index=True,
49+
default=1,
50+
help_text="Number of advisory associated with this TODO.",
51+
),
52+
),
53+
(
54+
"issue_type",
55+
models.CharField(
56+
choices=[
57+
("MISSING_AFFECTED_PACKAGE", "Advisory is missing affected package"),
58+
("MISSING_FIXED_BY_PACKAGE", "Advisory is missing fixed-by package"),
59+
(
60+
"MISSING_AFFECTED_AND_FIXED_BY_PACKAGES",
61+
"Advisory is missing both affected and fixed-by packages",
62+
),
63+
("MISSING_SUMMARY", "Advisory is missing summary"),
64+
(
65+
"CONFLICTING_FIXED_BY_PACKAGES",
66+
"Advisories have conflicting fixed-by packages",
67+
),
68+
(
69+
"CONFLICTING_AFFECTED_PACKAGES",
70+
"Advisories have conflicting affected packages",
71+
),
72+
(
73+
"CONFLICTING_AFFECTED_AND_FIXED_BY_PACKAGES",
74+
"Advisories have conflicting affected and fixed-by packages",
75+
),
76+
(
77+
"CONFLICTING_SEVERITY_SCORES",
78+
"Advisories have conflicting severity scores",
79+
),
80+
],
81+
db_index=True,
82+
help_text="Select the issue that needs to be addressed from the available options.",
83+
max_length=50,
84+
),
85+
),
86+
(
87+
"issue_detail",
88+
models.TextField(blank=True, help_text="Additional details about the issue."),
89+
),
90+
(
91+
"created_at",
92+
models.DateTimeField(
93+
auto_now_add=True,
94+
help_text="Timestamp indicating when this TODO was created.",
95+
),
96+
),
97+
(
98+
"is_resolved",
99+
models.BooleanField(
100+
db_index=True, default=False, help_text="This TODO is resolved or not."
101+
),
102+
),
103+
(
104+
"resolved_at",
105+
models.DateTimeField(
106+
blank=True,
107+
help_text="Timestamp indicating when this TODO was resolved.",
108+
null=True,
109+
),
110+
),
111+
(
112+
"resolution_detail",
113+
models.TextField(
114+
blank=True, help_text="Additional detail on how this TODO was resolved."
115+
),
116+
),
117+
(
118+
"oldest_advisory_date",
119+
models.DateTimeField(
120+
blank=True,
121+
db_index=True,
122+
help_text="Timestamp indicating when the oldest advisory was published, used for triaging TODOs.",
123+
null=True,
124+
),
125+
),
126+
(
127+
"is_todo_stale",
128+
models.BooleanField(
129+
db_index=True,
130+
default=False,
131+
help_text="TODOs are marked stale if associate advisory is no longer the latest version of the advisory.",
132+
),
133+
),
134+
],
135+
),
136+
migrations.CreateModel(
137+
name="ToDoRelatedAdvisoryV2",
138+
fields=[
139+
(
140+
"id",
141+
models.AutoField(
142+
auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
143+
),
144+
),
145+
(
146+
"advisory",
147+
models.ForeignKey(
148+
on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.advisoryv2"
149+
),
150+
),
151+
(
152+
"todo",
153+
models.ForeignKey(
154+
on_delete=django.db.models.deletion.CASCADE,
155+
to="vulnerabilities.advisorytodov2",
156+
),
157+
),
158+
],
159+
options={
160+
"unique_together": {("todo", "advisory")},
161+
},
162+
),
163+
migrations.AddField(
164+
model_name="advisorytodov2",
165+
name="advisories",
166+
field=models.ManyToManyField(
167+
help_text="Advisory/ies where this TODO is applicable.",
168+
related_name="advisory_todos",
169+
through="vulnerabilities.ToDoRelatedAdvisoryV2",
170+
to="vulnerabilities.advisoryv2",
171+
),
172+
),
173+
migrations.AlterUniqueTogether(
174+
name="advisorytodov2",
175+
unique_together={("related_advisories_id", "issue_type")},
176+
),
177+
]

vulnerabilities/models.py

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2521,9 +2521,21 @@ class Meta:
25212521
unique_together = ("related_advisories_id", "issue_type")
25222522

25232523

2524+
class AdvisoryToDoV2QuerySet(models.QuerySet):
2525+
2526+
def exclude_stale(self):
2527+
return self.exclude(is_todo_stale=True)
2528+
2529+
25242530
class AdvisoryToDoV2(models.Model):
25252531
"""Track the TODOs for advisory/ies that need to be addressed."""
25262532

2533+
todo_id = models.UUIDField(
2534+
primary_key=True,
2535+
default=uuid.uuid4,
2536+
editable=False,
2537+
)
2538+
25272539
# Since we can not make advisories field (M2M field) unique
25282540
# (see https://code.djangoproject.com/ticket/702), we use related_advisories_id
25292541
# to avoid creating duplicate issue for same set of advisories,
@@ -2539,6 +2551,20 @@ class AdvisoryToDoV2(models.Model):
25392551
help_text="Advisory/ies where this TODO is applicable.",
25402552
)
25412553

2554+
alias = models.CharField(
2555+
max_length=50,
2556+
db_index=True,
2557+
blank=False,
2558+
null=False,
2559+
help_text="Alias associated with TODO advisories",
2560+
)
2561+
2562+
advisories_count = models.IntegerField(
2563+
help_text="Number of advisory associated with this TODO.",
2564+
default=1,
2565+
db_index=True,
2566+
)
2567+
25422568
issue_type = models.CharField(
25432569
max_length=50,
25442570
choices=ISSUE_TYPE_CHOICES,
@@ -2573,6 +2599,22 @@ class AdvisoryToDoV2(models.Model):
25732599
help_text="Additional detail on how this TODO was resolved.",
25742600
)
25752601

2602+
oldest_advisory_date = models.DateTimeField(
2603+
null=True,
2604+
blank=True,
2605+
db_index=True,
2606+
help_text="Timestamp indicating when the oldest advisory was published, used for triaging TODOs.",
2607+
)
2608+
2609+
is_todo_stale = models.BooleanField(
2610+
null=False,
2611+
db_index=True,
2612+
default=False,
2613+
help_text="TODOs are marked stale if associate advisory is no longer the latest version of the advisory.",
2614+
)
2615+
2616+
objects = AdvisoryToDoV2QuerySet.as_manager()
2617+
25762618
class Meta:
25772619
unique_together = ("related_advisories_id", "issue_type")
25782620

@@ -2958,6 +3000,12 @@ def latest_advisories_for_purl(self, purl):
29583000
qs = self.filter(id__in=Subquery(adv_ids))
29593001
return qs.latest_per_avid()
29603002

3003+
def todo_excluded(self):
3004+
"""Exclude advisory ineligible for ToDo computation."""
3005+
from vulnerabilities.importers import TODO_EXCLUDED_PIPELINES
3006+
3007+
return self.exclude(datasource_id__in=TODO_EXCLUDED_PIPELINES)
3008+
29613009

29623010
class AdvisorySet(models.Model):
29633011

vulnerabilities/pipelines/__init__.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,11 @@ class VulnerableCodeBaseImporterPipelineV2(VulnerableCodePipeline):
278278
ignorable_versions = []
279279
precedence = 0
280280

281+
# Set this to True if computing fixed/affected package ToDo is not fruitful for this source.
282+
# An example of such advisory would be pipeline dedicated to collecting issues,
283+
# pull requests, commit messages, EPSS, exploits, etc.
284+
exclude_from_package_todo = False
285+
281286
# Control how often progress log is shown (range: 1–100, higher value = less frequent log)
282287
progress_step = 10
283288

vulnerabilities/pipelines/v2_importers/__init__.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#
2+
# Copyright (c) nexB Inc. and others. All rights reserved.
3+
# VulnerableCode is a trademark of nexB Inc.
4+
# SPDX-License-Identifier: Apache-2.0
5+
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
6+
# See https://github.com/aboutcode-org/vulnerablecode for support or download.
7+
# See https://aboutcode.org for more information about nexB OSS projects.
8+
#

vulnerabilities/pipelines/v2_importers/alpine_linux_importer.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ class AlpineLinuxImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
4141
license_url = "https://secdb.alpinelinux.org/license.txt"
4242
repo_url = "git+https://github.com/aboutcode-org/aboutcode-mirror-alpine-secdb/"
4343

44+
exclude_from_package_todo = True
45+
4446
precedence = 200
4547

4648
@classmethod

vulnerabilities/pipelines/v2_importers/aosp_importer.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ class AospImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
3232
license_url = "https://github.com/quarkslab/aosp_dataset/blob/master/LICENSE"
3333

3434
precedence = 200
35+
exclude_from_package_todo = True
3536

3637
@classmethod
3738
def steps(cls):

vulnerabilities/pipelines/v2_importers/epss_importer_v2.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ class EPSSImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
3030
spdx_license_expression = "unknown"
3131
importer_name = "EPSS Importer"
3232

33+
exclude_from_package_todo = True
34+
3335
precedence = 200
3436

3537
def advisories_count(self):

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy