Use the new severities in API

Signed-off-by: Keshav Priyadarshi <[email protected]>

Author: keshav-space

vulnerabilities/api.py

@@ -54,13 +54,18 @@ def to_representation(self, instance):
 
 
 class VulnerabilityReferenceSerializer(serializers.ModelSerializer):
-    scores = VulnerabilitySeveritySerializer(many=True, source="vulnerabilityseverity_set")
+    scores = serializers.SerializerMethodField()
     reference_url = serializers.CharField(source="url")
 
     class Meta:
         model = VulnerabilityReference
         fields = ["reference_url", "reference_id", "reference_type", "scores", "url"]
 
+    def get_scores(self, instance):
+        matching_scores = VulnerabilitySeverity.objects.filter(url=instance.url)
+
+        return VulnerabilitySeveritySerializer(matching_scores, many=True).data
+
 
 class BaseResourceSerializer(serializers.HyperlinkedModelSerializer):
     """
@@ -217,7 +222,7 @@ def to_representation(self, instance):
     def get_severity_range_score(self, instance):
         severity_vectors = []
         severity_values = set()
-        for s in instance.severities:
+        for s in instance.severities.all():
             if s.scoring_system == EPSS.identifier:
                 continue
 

vulnerabilities/api_extension.py

@@ -84,11 +84,10 @@ class Meta:
 
 class V2VulnerabilitySeveritySerializer(ModelSerializer):
     score = CharField(source="value")
-    reference = V2VulnerabilityReferenceSerializer()
 
     class Meta:
         model = VulnerabilitySeverity
-        fields = ("score", "scoring_system", "scoring_elements", "published_at", "reference")
+        fields = ("url", "score", "scoring_system", "scoring_elements", "published_at")
 
 
 class V2WeaknessSerializer(ModelSerializer):
@@ -130,6 +129,7 @@ class V2VulnerabilitySerializer(ModelSerializer):
     scores = V2VulnerabilitySeveritySerializer(many=True, source="vulnerabilityseverity_set")
     references = V2VulnerabilityReferenceSerializer(many=True, source="vulnerabilityreference_set")
     exploits = V2ExploitSerializer(many=True, source="weaknesses")
+    severities = V2VulnerabilitySeveritySerializer(many=True)
 
     def get_aliases(self, vulnerability):
         return vulnerability.aliases.only("alias").values_list("alias", flat=True)
@@ -150,6 +150,7 @@ class Meta:
             "summary",
             "exploits",
             "references",
+            "severities",
         )
 
 
@@ -358,7 +359,7 @@ def get_queryset(self):
             .get_queryset()
             .prefetch_related(
                 "weaknesses",
-                # "severities",
+                "severities",
                 # "exploits",
             )
         )

vulnerabilities/tests/test_api.py

@@ -222,8 +222,8 @@ def setUp(self):
             url="https://.com",
         )
 
-        VulnerabilitySeverity.objects.create(
-            reference=self.reference1,
+        severity = VulnerabilitySeverity.objects.create(
+            url="https://.com",
             scoring_system=EPSS.identifier,
             scoring_elements=".0016",
             value="0.526",
@@ -239,6 +239,7 @@ def setUp(self):
             cwe_id=10000
         )  # cwe not present in weaknesses_db
         self.invalid_weaknesses.vulnerabilities.add(self.vulnerability)
+        self.vulnerability.severities.add(severity)
 
     def test_api_status(self):
         response = self.csrf_client.get("/api/vulnerabilities/")

vulnerabilities/tests/test_api_extension.py

@@ -45,7 +45,7 @@ def vulnerability_severity(vulnerability_reference):
         scoring_system="cvssv3_vector",
         value="7.0",
         scoring_elements="CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        reference_id=vulnerability_reference.id,
+        url=f"https://..",
     )
 
 
@@ -86,7 +86,7 @@ def test_V2VulnerabilitySeveritySerializer(vulnerability_severity):
     results = V2VulnerabilitySeveritySerializer(instance=vulnerability_severity).data
     expected = {
         "published_at": None,
-        "reference": {"reference_id": "fake", "reference_type": "", "reference_url": "https://.."},
+        "url": "https://..",
         "score": "7.0",
         "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
         "scoring_system": "cvssv3_vector",

vulnerabilities/tests/test_data/export_command/aboutcode-vulnerabilities/ps/VCID-pst6-b358-aaap.yml

@@ -7,10 +7,7 @@ severities:
     scoring_system: cvssv3_vector
     scoring_elements: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
     published_at:
-    reference:
-      url: https://..
-      reference_type:
-      reference_id: fake
+    url: https://..
 weaknesses:
   - CWE-15
 references: