aboutcode-org
diff --git a/‎CHANGELOG.rst‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.rst‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎setup.cfg‎
Lines changed: 1 addition & 0 deletions b/‎setup.cfg‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎vulnerabilities/api.py‎
Lines changed: 58 additions & 30 deletions b/‎vulnerabilities/api.py‎
Lines changed: 58 additions & 30 deletions
diff --git a/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎vulnerabilities/importers/nvd.py‎
Lines changed: 10 additions & 0 deletions b/‎vulnerabilities/importers/nvd.py‎
Lines changed: 10 additions & 0 deletions
@@ -1,6 +1,20 @@
 Release notes
 =============
 
+Version v34.0.0rc5
+-------------------
+
+- Add safetydb importer.
+- Add missing width setting for the table in the vulnerability details UI.
+- Add KEV support.
+- Add UI template for API.
+- Use VersionRange.normalize to compare advisory.
+- Use integer column to display score.
+- Add support for CVSSv4 & SSVC and import the data using vulnrichment.
+- Add support for reference_type in the API.
+- Add API improvements for the package endpoint.
+
+
 Version v34.0.0rc4
 -------------------
 
 
@@ -118,6 +118,7 @@ dev =
     commoncode
     # debug
     django-debug-toolbar
+    pyinstrument
 
 [options.entry_points]
 console_scripts =
 
@@ -108,6 +108,8 @@ def get_vulnerability(self, vuln):
 
     purl = serializers.CharField(source="package_url")
 
+    is_vulnerable = serializers.BooleanField()
+
     class Meta:
         model = Package
         fields = ["url", "purl", "is_vulnerable", "affected_by_vulnerabilities"]
@@ -248,21 +250,27 @@ def get_latest_non_vulnerable(self, package):
 
     affected_by_vulnerabilities = serializers.SerializerMethodField("get_affected_vulnerabilities")
 
-    fixing_vulnerabilities = serializers.SerializerMethodField("get_fixed_vulnerabilities")
+    fixing_vulnerabilities = serializers.SerializerMethodField("get_fixing_vulnerabilities")
+
+    is_vulnerable = serializers.BooleanField()
 
     def get_fixed_packages(self, package):
         """
         Return a queryset of all packages that fix a vulnerability with
         same type, namespace, name, subpath and qualifiers of the `package`
         """
-        return Package.objects.filter(
-            name=package.name,
-            namespace=package.namespace,
-            type=package.type,
-            qualifiers=package.qualifiers,
-            subpath=package.subpath,
-            packagerelatedvulnerability__fix=True,
-        ).distinct()
+        return (
+            Package.objects.filter(
+                name=package.name,
+                namespace=package.namespace,
+                type=package.type,
+                qualifiers=package.qualifiers,
+                subpath=package.subpath,
+                packagerelatedvulnerability__fix=True,
+            )
+            .with_is_vulnerable()
+            .distinct()
+        )
 
     def get_vulnerabilities_for_a_package(self, package, fix) -> dict:
         """
@@ -285,7 +293,7 @@ def get_vulnerabilities_for_a_package(self, package, fix) -> dict:
             context={"request": self.context["request"]},
         ).data
 
-    def get_fixed_vulnerabilities(self, package) -> dict:
+    def get_fixing_vulnerabilities(self, package) -> dict:
         """
         Return a mapping of vulnerabilities fixed in the given `package`.
         """
@@ -322,12 +330,15 @@ class Meta:
             "version",
             "qualifiers",
             "subpath",
+            "is_vulnerable",
             "next_non_vulnerable_version",
             "latest_non_vulnerable_version",
             "affected_by_vulnerabilities",
             "fixing_vulnerabilities",
         ]
 
+    is_vulnerable = serializers.BooleanField()
+
 
 class PackageFilterSet(filters.FilterSet):
     purl = filters.CharFilter(method="filter_purl")
@@ -390,6 +401,9 @@ class PackageViewSet(viewsets.ReadOnlyModelViewSet):
     filterset_class = PackageFilterSet
     throttle_classes = [StaffUserRateThrottle, AnonRateThrottle]
 
+    def get_queryset(self):
+        return super().get_queryset().with_is_vulnerable()
+
     @extend_schema(
         request=PackageBulkSearchRequestSerializer,
         responses={200: PackageSerializer(many=True)},
@@ -436,6 +450,7 @@ def bulk_search(self, request):
                 Package.objects.filter(plain_package_url__in=plain_purls)
                 .order_by("plain_package_url")
                 .distinct("plain_package_url")
+                .with_is_vulnerable()
             )
 
             if not purl_only:
@@ -449,7 +464,7 @@ def bulk_search(self, request):
             vulnerable_purls = [str(package.plain_package_url) for package in vulnerable_purls]
             return Response(data=vulnerable_purls)
 
-        query = Package.objects.filter(package_url__in=purls).distinct()
+        query = Package.objects.filter(package_url__in=purls).distinct().with_is_vulnerable()
 
         if not purl_only:
             return Response(PackageSerializer(query, many=True, context={"request": request}).data)
@@ -463,7 +478,9 @@ def all(self, request):
         """
         Return the Package URLs of all packages known to be vulnerable.
         """
-        vulnerable_packages = Package.objects.vulnerable().only("package_url").distinct()
+        vulnerable_packages = (
+            Package.objects.vulnerable().only("package_url").distinct().with_is_vulnerable()
+        )
         vulnerable_purls = [str(package.package_url) for package in vulnerable_packages]
         return Response(vulnerable_purls)
 
@@ -494,11 +511,8 @@ def lookup(self, request):
         validated_data = serializer.validated_data
         purl = validated_data.get("purl")
 
-        return Response(
-            PackageSerializer(
-                Package.objects.for_purls([purl]), many=True, context={"request": request}
-            ).data
-        )
+        qs = self.get_queryset().for_purls([purl]).with_is_vulnerable()
+        return Response(PackageSerializer(qs, many=True, context={"request": request}).data)
 
     @extend_schema(
         request=PackageurlListSerializer,
@@ -529,7 +543,7 @@ def bulk_lookup(self, request):
 
         return Response(
             PackageSerializer(
-                Package.objects.for_purls(purls),
+                Package.objects.for_purls(purls).with_is_vulnerable(),
                 many=True,
                 context={"request": request},
             ).data
@@ -547,33 +561,47 @@ class VulnerabilityViewSet(viewsets.ReadOnlyModelViewSet):
     Lookup for vulnerabilities affecting packages.
     """
 
+    queryset = Vulnerability.objects.all()
+
     def get_fixed_packages_qs(self):
         """
         Filter the packages that fixes a vulnerability
         on fields like name, namespace and type.
         """
-        package_filter_data = {"packagerelatedvulnerability__fix": True}
+        return self.get_packages_qs().filter(packagerelatedvulnerability__fix=True)
 
+    def get_packages_qs(self):
+        """
+        Filter the packages on type, namespace and name.
+        """
         query_params = self.request.query_params
-        for field_name in ["name", "namespace", "type"]:
-            value = query_params.get(field_name)
-            if value:
+        package_filter_data = {}
+        for field_name in ("type", "namespace", "name"):
+            if value := query_params.get(field_name):
                 package_filter_data[field_name] = value
 
-        return PackageFilterSet(package_filter_data).qs
+        return PackageFilterSet(package_filter_data).qs.with_is_vulnerable()
 
     def get_queryset(self):
         """
         Assign filtered packages queryset from `get_fixed_packages_qs`
         to a custom attribute `filtered_fixed_packages`
         """
-        return Vulnerability.objects.prefetch_related(
-            "weaknesses",
-            Prefetch(
-                "packages",
-                queryset=self.get_fixed_packages_qs(),
-                to_attr="filtered_fixed_packages",
-            ),
+        return (
+            super()
+            .get_queryset()
+            .prefetch_related(
+                Prefetch(
+                    "packages",
+                    queryset=self.get_packages_qs(),
+                ),
+                "weaknesses",
+                Prefetch(
+                    "packages",
+                    queryset=self.get_fixed_packages_qs(),
+                    to_attr="filtered_fixed_packages",
+                ),
+            )
         )
 
     serializer_class = VulnerabilitySerializer
 
@@ -38,6 +38,7 @@
 from vulnerabilities.importers import suse_scores
 from vulnerabilities.importers import ubuntu
 from vulnerabilities.importers import ubuntu_usn
+from vulnerabilities.importers import vulnrichment
 from vulnerabilities.importers import xen
 
 IMPORTERS_REGISTRY = [
@@ -73,6 +74,7 @@
     ruby.RubyImporter,
     github_osv.GithubOSVImporter,
     epss.EPSSImporter,
+    vulnrichment.VulnrichImporter,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}
@@ -163,6 +163,16 @@ def severities(self):
         """
         severities = []
         impact = self.cve_item.get("impact") or {}
+        base_metric_v4 = impact.get("baseMetricV4") or {}
+        if base_metric_v4:
+            cvss_v4 = base_metric_v4.get("cvssV4") or {}
+            vs = VulnerabilitySeverity(
+                system=severity_systems.CVSSV4,
+                value=str(cvss_v4.get("baseScore") or ""),
+                scoring_elements=str(cvss_v4.get("vectorString") or ""),
+            )
+            severities.append(vs)
+
         base_metric_v3 = impact.get("baseMetricV3") or {}
         if base_metric_v3:
             cvss_v3 = get_item(base_metric_v3, "cvssV3")