feat: migrate API consumers to read from advisory_vulnerability_score table

Update VulnerabilityService, PurlStatus, and VulnerabilitySummary to query
CVSS scores from the new unified advisory_vulnerability_score table instead
of the legacy cvss3 table. This completes the read-side migration for the
score consolidation work started in PR #1913.

The ingestion side continues to write to both tables (dual-write) to ensure
backwards compatibility. Removal of the dual-write, deprecation of the legacy
table, and any appropriate API changes will be addressed in follow-up PRs.

Assisted-By: Claude

Author: dejanb

cvss/src/cvss3/score.rs

@@ -74,3 +74,21 @@ impl FromIterator<Cvss3Base> for Score {
         }
     }
 }
+
+impl FromIterator<f64> for Score {
+    fn from_iter<I: IntoIterator<Item = f64>>(iter: I) -> Self {
+        let mut count: usize = 0;
+        let mut sum = 0.0;
+        for v in iter {
+            sum += v;
+            count += 1;
+        }
+        if count > 0 {
+            // Round to 1 decimal place (CVSS scores are displayed with 1 decimal precision)
+            let avg = sum / (count as f64);
+            Self::new((avg * 10.0).round() / 10.0)
+        } else {
+            Self::default()
+        }
+    }
+}

entity/src/advisory_vulnerability_score.rs

@@ -74,6 +74,26 @@ pub enum ScoreType {
     V4_0,
 }
 
+impl ScoreType {
+    /// Returns true if this is a CVSS v3.x score type (V3_0 or V3_1).
+    ///
+    /// NOTE: This helper exists for backward compatibility during the migration
+    /// from legacy cvss3 table. It will be removed once all consumers support
+    /// all CVSS versions.
+    #[inline]
+    pub fn is_cvss3(self) -> bool {
+        matches!(self, Self::V3_0 | Self::V3_1)
+    }
+}
+
+impl Model {
+    /// Returns true if this score is a CVSS v3.x score (V3_0 or V3_1).
+    #[inline]
+    pub fn is_cvss3(&self) -> bool {
+        self.r#type.is_cvss3()
+    }
+}
+
 // severity
 
 #[derive(

entity/src/vulnerability.rs

@@ -1,5 +1,5 @@
 use crate::{
-    advisory, advisory_vulnerability,
+    advisory, advisory_vulnerability, advisory_vulnerability_score,
     cvss3::{self, Severity},
     vulnerability_description,
 };
@@ -40,6 +40,9 @@ pub enum Relation {
     #[sea_orm(has_many = "super::cvss3::Entity")]
     Cvss3,
 
+    #[sea_orm(has_many = "super::advisory_vulnerability_score::Entity")]
+    AdvisoryVulnerabilityScore,
+
     #[sea_orm(has_many = "super::purl_status::Entity")]
     PurlStatuses,
 }
@@ -76,6 +79,12 @@ impl Related<cvss3::Entity> for Entity {
     }
 }
 
+impl Related<advisory_vulnerability_score::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::AdvisoryVulnerabilityScore.def()
+    }
+}
+
 impl Related<vulnerability_description::Entity> for Entity {
     fn to() -> RelationDef {
         Relation::Descriptions.def()

modules/fundamental/src/advisory/endpoints/test.rs

@@ -12,13 +12,11 @@ use test_context::test_context;
 use test_log::test;
 use time::OffsetDateTime;
 use trustify_common::{hashing::Digests, id::Id, model::PaginatedResults};
-use trustify_cvss::cvss3::{
-    AttackComplexity, AttackVector, Availability, Confidentiality, Cvss3Base, Integrity,
-    PrivilegesRequired, Scope, UserInteraction,
-};
-use trustify_entity::labels::Labels;
+use trustify_entity::{advisory_vulnerability_score, labels::Labels};
 use trustify_module_ingestor::{
-    graph::advisory::AdvisoryInformation, model::IngestResult, service::Format,
+    graph::{advisory::AdvisoryInformation, cvss::ScoreCreator},
+    model::IngestResult,
+    service::Format,
 };
 use trustify_module_storage::service::{StorageBackend, StorageKey};
 use trustify_test_context::{TrustifyContext, call::CallService, document_bytes};
@@ -48,25 +46,20 @@ async fn all_advisories(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
         )
         .await?;
 
-    let advisory_vuln = advisory
+    advisory
         .link_to_vulnerability("CVE-123", None, &ctx.db)
         .await?;
-    advisory_vuln
-        .ingest_cvss3_score(
-            Cvss3Base {
-                minor_version: 0,
-                av: AttackVector::Network,
-                ac: AttackComplexity::Low,
-                pr: PrivilegesRequired::None,
-                ui: UserInteraction::None,
-                s: Scope::Unchanged,
-                c: Confidentiality::None,
-                i: Integrity::None,
-                a: Availability::None,
-            },
-            &ctx.db,
-        )
-        .await?;
+
+    // Use ScoreCreator to write to advisory_vulnerability_score table
+    let mut score_creator = ScoreCreator::new(advisory.advisory.id);
+    score_creator.add(trustify_module_ingestor::graph::cvss::ScoreInformation {
+        vulnerability_id: "CVE-123".to_string(),
+        r#type: advisory_vulnerability_score::ScoreType::V3_0,
+        vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N".to_string(),
+        score: 0.0,
+        severity: advisory_vulnerability_score::Severity::None,
+    });
+    score_creator.create(&ctx.db).await?;
 
     ctx.graph
         .ingest_advisory(
@@ -156,25 +149,20 @@ async fn one_advisory(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
         )
         .await?;
 
-    let advisory_vuln = advisory2
+    advisory2
         .link_to_vulnerability("CVE-123", None, &ctx.db)
         .await?;
-    advisory_vuln
-        .ingest_cvss3_score(
-            Cvss3Base {
-                minor_version: 0,
-                av: AttackVector::Network,
-                ac: AttackComplexity::Low,
-                pr: PrivilegesRequired::High,
-                ui: UserInteraction::None,
-                s: Scope::Changed,
-                c: Confidentiality::High,
-                i: Integrity::None,
-                a: Availability::None,
-            },
-            &ctx.db,
-        )
-        .await?;
+
+    // Use ScoreCreator to write to advisory_vulnerability_score table
+    let mut score_creator = ScoreCreator::new(advisory2.advisory.id);
+    score_creator.add(trustify_module_ingestor::graph::cvss::ScoreInformation {
+        vulnerability_id: "CVE-123".to_string(),
+        r#type: advisory_vulnerability_score::ScoreType::V3_0,
+        vector: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N".to_string(),
+        score: 6.8,
+        severity: advisory_vulnerability_score::Severity::Medium,
+    });
+    score_creator.create(&ctx.db).await?;
 
     let uri = format!("/api/v2/advisory/urn:uuid:{}", advisory2.advisory.id);
 
@@ -253,25 +241,20 @@ async fn one_advisory_by_uuid(ctx: &TrustifyContext) -> Result<(), anyhow::Error
 
     let uuid = advisory.advisory.id;
 
-    let advisory_vuln = advisory
+    advisory
         .link_to_vulnerability("CVE-123", None, &ctx.db)
         .await?;
-    advisory_vuln
-        .ingest_cvss3_score(
-            Cvss3Base {
-                minor_version: 0,
-                av: AttackVector::Network,
-                ac: AttackComplexity::Low,
-                pr: PrivilegesRequired::High,
-                ui: UserInteraction::None,
-                s: Scope::Changed,
-                c: Confidentiality::High,
-                i: Integrity::None,
-                a: Availability::None,
-            },
-            &ctx.db,
-        )
-        .await?;
+
+    // Use ScoreCreator to write to advisory_vulnerability_score table
+    let mut score_creator = ScoreCreator::new(advisory.advisory.id);
+    score_creator.add(trustify_module_ingestor::graph::cvss::ScoreInformation {
+        vulnerability_id: "CVE-123".to_string(),
+        r#type: advisory_vulnerability_score::ScoreType::V3_0,
+        vector: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N".to_string(),
+        score: 6.8,
+        severity: advisory_vulnerability_score::Severity::Medium,
+    });
+    score_creator.create(&ctx.db).await?;
 
     let uri = format!("/api/v2/advisory/{}", uuid.urn());
 

modules/fundamental/src/advisory/model/details/advisory_vulnerability.rs

@@ -3,9 +3,10 @@ use sea_orm::{ColumnTrait, ConnectionTrait, EntityTrait, LoaderTrait, QueryFilte
 use serde::{Deserialize, Serialize};
 use tracing::instrument;
 use trustify_common::memo::Memo;
-use trustify_cvss::cvss3::Cvss3Base;
 use trustify_cvss::cvss3::severity::Severity;
-use trustify_entity::{advisory, advisory_vulnerability, cvss3, vulnerability};
+use trustify_entity::{
+    advisory, advisory_vulnerability, advisory_vulnerability_score, vulnerability,
+};
 use utoipa::ToSchema;
 
 #[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
@@ -119,19 +120,22 @@ impl AdvisoryVulnerabilitySummary {
         vulnerabilities: &[vulnerability::Model],
         tx: &C,
     ) -> Result<Vec<Self>, Error> {
-        let mut cvss3s = vulnerabilities
+        let mut all_scores = vulnerabilities
             .load_many(
-                cvss3::Entity::find().filter(cvss3::Column::AdvisoryId.eq(advisory.id)),
+                advisory_vulnerability_score::Entity::find()
+                    .filter(advisory_vulnerability_score::Column::AdvisoryId.eq(advisory.id)),
                 tx,
             )
             .await?;
 
         let mut summaries = Vec::new();
 
-        for (vuln, mut cvss3) in vulnerabilities.iter().zip(cvss3s.drain(..)) {
-            let cvss3_scores = cvss3
+        for (vuln, mut scores) in vulnerabilities.iter().zip(all_scores.drain(..)) {
+            // Filter to V3.x scores and format as vector strings
+            let cvss3_scores: Vec<String> = scores
                 .drain(..)
-                .map(|e| Cvss3Base::from(e).to_string())
+                .filter(|s| s.is_cvss3())
+                .map(|e| e.vector)
                 .collect();
 
             summaries.push(AdvisoryVulnerabilitySummary {

modules/fundamental/src/common/model/score.rs

@@ -1,7 +1,7 @@
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 use trustify_cvss::cvss3::severity::Severity;
-use trustify_entity::cvss3;
+use trustify_entity::{advisory_vulnerability_score, cvss3};
 use utoipa::{
     PartialSchema, ToSchema,
     openapi::{
@@ -85,6 +85,35 @@ impl TryFrom<cvss3::Model> for Score {
     }
 }
 
+impl From<advisory_vulnerability_score::Model> for Score {
+    fn from(model: advisory_vulnerability_score::Model) -> Self {
+        let r#type = match model.r#type {
+            advisory_vulnerability_score::ScoreType::V2_0 => ScoreType::V2,
+            advisory_vulnerability_score::ScoreType::V3_0 => ScoreType::V3,
+            advisory_vulnerability_score::ScoreType::V3_1 => ScoreType::V3_1,
+            advisory_vulnerability_score::ScoreType::V4_0 => ScoreType::V4,
+        };
+
+        let severity = match model.severity {
+            advisory_vulnerability_score::Severity::None => Severity::None,
+            advisory_vulnerability_score::Severity::Low => Severity::Low,
+            advisory_vulnerability_score::Severity::Medium => Severity::Medium,
+            advisory_vulnerability_score::Severity::High => Severity::High,
+            advisory_vulnerability_score::Severity::Critical => Severity::Critical,
+        };
+
+        // Round to 1 decimal place to avoid f32->f64 precision artifacts
+        // CVSS scores are typically displayed with 1 decimal precision
+        let value = (model.score as f64 * 10.0).round() / 10.0;
+
+        Score {
+            r#type,
+            value,
+            severity,
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

modules/fundamental/src/purl/model/details/purl.rs

@@ -22,12 +22,12 @@ use trustify_common::{
     memo::Memo,
     purl::Purl,
 };
-use trustify_cvss::cvss3::{Cvss3Base, score::Score as Cvss3Score, severity::Severity};
+use trustify_cvss::cvss3::{score::Score as Cvss3Score, severity::Severity};
 use trustify_entity::{
-    advisory, base_purl, cpe, cvss3, license, organization, product, product_status,
-    product_version, product_version_range, purl_status, qualified_purl, sbom, sbom_package,
-    sbom_package_license, sbom_package_purl_ref, status, version_range, versioned_purl,
-    vulnerability,
+    advisory, advisory_vulnerability_score, base_purl, cpe, license, organization, product,
+    product_status, product_version, product_version_range, purl_status, qualified_purl, sbom,
+    sbom_package, sbom_package_license, sbom_package_purl_ref, status, version_range,
+    versioned_purl, vulnerability,
 };
 use trustify_module_ingestor::common::{Deprecation, DeprecationForExt};
 use utoipa::ToSchema;
@@ -340,14 +340,19 @@ impl PurlStatus {
         cpe: Option<String>,
         tx: &C,
     ) -> Result<Self, Error> {
+        // Query scores from the new advisory_vulnerability_score table
+        let score_models = vuln
+            .find_related(advisory_vulnerability_score::Entity)
+            .all(tx)
+            .await?;
+        let average_score = Cvss3Score::from_iter(
+            score_models
+                .iter()
+                .filter(|s| s.is_cvss3())
+                .map(|s| s.score as f64),
+        );
+        let all_scores: Vec<Score> = score_models.into_iter().map(Score::from).collect();
         let issuer = Memo::Provided(advisory.find_related(organization::Entity).one(tx).await?);
-        let cvss3 = vuln.find_related(cvss3::Entity).all(tx).await?;
-        let average_score = Cvss3Score::from_iter(cvss3.iter().map(Cvss3Base::from));
-        let all_scores = cvss3
-            .iter()
-            .cloned()
-            .filter_map(|cvss3| Score::try_from(cvss3).ok())
-            .collect();
 
         Ok(Self {
             vulnerability: VulnerabilityHead::from_vulnerability_entity(
@@ -374,14 +379,15 @@ impl PurlStatus {
         status: String,
         version_range: Option<VersionRange>,
         cpe: Option<String>,
-        scores: &[cvss3::Model],
+        score_models: &[advisory_vulnerability_score::Model],
     ) -> Result<Self, Error> {
-        let average_score = Cvss3Score::from_iter(scores.iter().map(Cvss3Base::from));
-        let all_scores = scores
-            .iter()
-            .cloned()
-            .filter_map(|cvss3| Score::try_from(cvss3).ok())
-            .collect();
+        let average_score = Cvss3Score::from_iter(
+            score_models
+                .iter()
+                .filter(|s| s.is_cvss3())
+                .map(|s| s.score as f64),
+        );
+        let all_scores: Vec<Score> = score_models.iter().cloned().map(Score::from).collect();
 
         Ok(Self {
             vulnerability: vuln_head,