aboutcode-org
diff --git a/‎CHANGELOG.rst‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.rst‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎component_catalog/importers.py‎
Lines changed: 2 additions & 2 deletions b/‎component_catalog/importers.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎component_catalog/migrations/0010_component_risk_score_package_risk_score.py‎
Lines changed: 23 additions & 0 deletions b/‎component_catalog/migrations/0010_component_risk_score_package_risk_score.py‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎component_catalog/models.py‎
Lines changed: 1 addition & 0 deletions b/‎component_catalog/models.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html‎
Lines changed: 36 additions & 22 deletions b/‎component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html‎
Lines changed: 36 additions & 22 deletions
diff --git a/‎component_catalog/tests/test_importers.py‎
Lines changed: 4 additions & 4 deletions b/‎component_catalog/tests/test_importers.py‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎component_catalog/tests/test_models.py‎
Lines changed: 4 additions & 0 deletions b/‎component_catalog/tests/test_models.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎component_catalog/views.py‎
Lines changed: 1 addition & 1 deletion b/‎component_catalog/views.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dejacode/static/css/dejacode_bootstrap.css‎
Lines changed: 18 additions & 6 deletions b/‎dejacode/static/css/dejacode_bootstrap.css‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎dje/copier.py‎
Lines changed: 1 addition & 0 deletions b/‎dje/copier.py‎
Lines changed: 1 addition & 0 deletions
@@ -6,6 +6,11 @@ Release notes
 - Rename ProductDependency is_resolved to is_pinned.
   https://github.com/aboutcode-org/dejacode/issues/189
 
+- Add new fields on the Vulnerability model: `exploitability`, `weighted_severity`,
+  `risk_score`. The field are displayed in all relevant part of the UI where
+  vulnerability data is available.
+  https://github.com/aboutcode-org/dejacode/issues/98
+
 ### Version 5.2.1
 
 - Fix the models documentation navigation.
 
@@ -41,7 +41,7 @@
 from policy.models import UsagePolicy
 from product_portfolio.models import ProductComponent
 from product_portfolio.models import ProductPackage
-from vulnerabilities.fetch import fetch_for_queryset
+from vulnerabilities.fetch import fetch_for_packages
 
 keywords_help = (
     get_help_text(Component, "keywords")
@@ -433,7 +433,7 @@ def save_all(self):
         if self.dataspace.enable_vulnerablecodedb_access:
             package_pks = [package.pk for package in self.results["added"]]
             package_qs = Package.objects.scope(dataspace=self.dataspace).filter(pk__in=package_pks)
-            fetch_for_queryset(package_qs, self.dataspace)
+            fetch_for_packages(package_qs, self.dataspace)
 
 
 class SubcomponentImportForm(
 
@@ -0,0 +1,23 @@
+# Generated by Django 5.0.9 on 2024-11-18 10:01
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('component_catalog', '0009_componentaffectedbyvulnerability_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='component',
+            name='risk_score',
+            field=models.DecimalField(blank=True, decimal_places=1, help_text='Risk score between 0.0 and 10.0, where higher values indicate greater vulnerability risk for the package.', max_digits=3, null=True),
+        ),
+        migrations.AddField(
+            model_name='package',
+            name='risk_score',
+            field=models.DecimalField(blank=True, decimal_places=1, help_text='Risk score between 0.0 and 10.0, where higher values indicate greater vulnerability risk for the package.', max_digits=3, null=True),
+        ),
+    ]
@@ -1675,6 +1675,7 @@ def only_rendering_fields(self):
             *PACKAGE_URL_FIELDS,
             "filename",
             "license_expression",
+            "risk_score",
             "dataspace__name",
             "dataspace__show_usage_policy_in_user_views",
         )
 
@@ -1,4 +1,14 @@
 {% load i18n %}
+<dl class="row mb-3">
+  <dt class="col-sm-1 text-end pe-0">
+    <span class="help_text" data-bs-placement="right" data-bs-toggle="tooltip" data-bs-title="Risk score between 0.0 and 10.0, where higher values indicate greater vulnerability risk for the package.">
+      Risk score
+    </span>
+  </dt>
+  <dd class="col-sm-11 fs-110pct">
+    {% include 'vulnerabilities/includes/risk_score_badge.html' with risk_score=package.risk_score only %}
+  </dd>
+</dl>
 <table class="table table-bordered table-hover table-md text-break">
   <thead>
     <tr>
@@ -7,19 +17,24 @@
           {% trans 'Affected by' %}
         </span>
       </th>
-      <th style="width: 210px;">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="A list of aliases for this vulnerability.">
-          {% trans 'Aliases' %}
+      <th style="width: 300px;">
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Summary of the vulnerability.">
+          {% trans 'Summary' %}
         </span>
       </th>
-      <th style="width: 90px;">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Severity score range.">
-          {% trans 'Score' %}
+      <th style="min-width: 130px;">
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Exploitability indicates the likelihood that a vulnerability in a software package could be used by malicious actors to compromise systems, applications, or networks. This metric is determined automatically based on the discovery of known exploits">
+          {% trans 'Exploitability' %}
         </span>
       </th>
-      <th>
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Summary of the vulnerability.">
-          {% trans 'Summary' %}
+      <th style="min-width: 100px;">
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Weighted severity is the highest value calculated by multiplying each severity by its corresponding weight, divided by 10.">
+          {% trans 'Severity' %}
+        </span>
+      </th>
+      <th style="min-width: 90px;">
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Risk score from 0.0 to 10.0, with higher values indicating greater vulnerability risk. This score is the maximum of the weighted severity multiplied by exploitability, capped at 10.">
+          {% trans 'Risk' %}
         </span>
       </th>
       <th style="min-width: 320px;">
@@ -43,19 +58,9 @@
               {{ vulnerability.vulnerability_id }}
             {% endif %}
           </strong>
-        </td>
-        <td>
-           {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
-        </td>
-        <td>
-          {% if vulnerability.min_score %}
-            {{ vulnerability.min_score }} -
-          {% endif %}
-          {% if vulnerability.max_score %}
-            <strong>
-              {{ vulnerability.max_score }}
-            </strong>
-          {% endif %}
+          <div class="mt-2">
+            {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
+          </div>
         </td>
         <td>
           {% if vulnerability.summary %}
@@ -69,6 +74,15 @@
             {% endif %}
           {% endif %}
         </td>
+        <td>
+          {% include 'vulnerabilities/includes/exploitability.html' with instance=vulnerability only %}
+        </td>
+        <td>
+          {{ vulnerability.weighted_severity|default_if_none:"" }}
+        </td>
+        <td class="fs-110pct">
+          {% include 'vulnerabilities/includes/risk_score_badge.html' with risk_score=vulnerability.risk_score only %}
+        </td>
         <td>
           {% if vulnerability.fixed_packages_html %}
             {{ vulnerability.fixed_packages_html }}
 
@@ -1397,17 +1397,17 @@ def test_package_import_add_to_product(self):
         self.assertContains(response, expected3)
         self.assertContains(response, expected4)
 
-    @mock.patch("component_catalog.importers.fetch_for_queryset")
-    def test_package_import_fetch_vulnerabilities(self, mock_fetch_for_queryset):
-        mock_fetch_for_queryset.return_value = None
+    @mock.patch("component_catalog.importers.fetch_for_packages")
+    def test_package_import_fetch_vulnerabilities(self, mock_fetch_for_packages):
+        mock_fetch_for_packages.return_value = None
         self.dataspace.enable_vulnerablecodedb_access = True
         self.dataspace.save()
 
         file = os.path.join(TESTFILES_LOCATION, "package_from_scancode.json")
         importer = PackageImporter(self.super_user, file)
         importer.save_all()
         self.assertEqual(2, len(importer.results["added"]))
-        mock_fetch_for_queryset.assert_called()
+        mock_fetch_for_packages.assert_called()
 
 
 class SubcomponentImporterTestCase(TestCase):
 
@@ -1683,6 +1683,10 @@ def test_package_model_update_from_data(self):
         package.refresh_from_db()
         self.assertEqual(new_data["filename"], package.filename)
 
+        new_data = {"filename": "new_filename2"}
+        updated_fields = package.update_from_data(user=None, data=new_data, override=True)
+        self.assertEqual(["filename"], updated_fields)
+
     @mock.patch("component_catalog.models.collect_package_data")
     def test_package_model_create_from_url(self, mock_collect):
         self.assertIsNone(Package.create_from_url(url=" ", user=self.user))
 
@@ -251,7 +251,7 @@ class TabVulnerabilityMixin:
     template = "component_catalog/tabs/tab_vulnerabilities.html"
 
     def tab_vulnerabilities(self):
-        vulnerabilities_qs = self.object.affected_by_vulnerabilities.all()
+        vulnerabilities_qs = self.object.affected_by_vulnerabilities.order_by_risk()
         if not vulnerabilities_qs:
             return
 
 
@@ -40,6 +40,9 @@ a.dropdown-item:hover {
 .fs-85pct {
   font-size: 85%;
 }
+.fs-110pct {
+  font-size: 110%;
+}
 .header {
   margin-bottom: 1rem;
 }
@@ -86,6 +89,9 @@ table.text-break thead {
   word-wrap: initial!important;
   word-break: initial!important;
 }
+.bg-warning-orange {
+  background-color: var(--bs-orange);
+}
 /* -- Dark there fixes -- */
 [data-bs-theme=dark] .btn-outline-dark {
   --bs-btn-color: var(--bs-tertiary-color);
@@ -380,14 +386,20 @@ table.vulnerabilities-table .column-summary {
 #tab_vulnerabilities .column-vulnerability_id {
   width: 210px;
 }
-#tab_vulnerabilities .column-aliases {
-  width: 210px;
+#tab_vulnerabilities .column-affected_packages {
+  min-width: 300px;
 }
-#tab_vulnerabilities .column-max_score {
-  width: 105px;
+#tab_vulnerabilities .column-exploitability {
+  width: 150px;
 }
-#tab_vulnerabilities .column-column-affected_packages {
-  width: 320px;
+#tab_vulnerabilities .column-weighted_severity {
+  width: 115px;
+}
+#tab_vulnerabilities .column-risk_score {
+  width: 95px;
+}
+#tab_vulnerabilities .column-summary {
+  width: 300px;
 }
 
 /* -- Dependency tab -- */
 
@@ -66,6 +66,7 @@
     "project_uuid",
     "default_assignee",
     "affected_by_vulnerabilities",
+    "risk_score",
 ]
Original file line number	Diff line number	Diff line change
`@@ -1675,6 +1675,7 @@ def only_rendering_fields(self):`
`1675`	`1675`	`*PACKAGE_URL_FIELDS,`
`1676`	`1676`	`"filename",`
`1677`	`1677`	`"license_expression",`
	`1678`	`+ "risk_score",`
`1678`	`1679`	`"dataspace__name",`
`1679`	`1680`	`"dataspace__show_usage_policy_in_user_views",`
`1680`	`1681`	`)`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@`
`66`	`66`	`"project_uuid",`
`67`	`67`	`"default_assignee",`
`68`	`68`	`"affected_by_vulnerabilities",`
	`69`	`+ "risk_score",`
`69`	`70`	`]`
`70`	`71`
`71`	`72`