Adjust tests

TG1999 · TG1999 · commit ea03fa0d2594 · 2025-12-15T22:27:53.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/api_v2.py b/vulnerabilities/api_v2.py
@@ -146,18 +146,31 @@ class AdvisoryV2Serializer(serializers.ModelSerializer):
     references = AdvisoryReferenceSerializer(many=True)
     severities = AdvisorySeveritySerializer(many=True)
     advisory_id = serializers.CharField(source="avid", read_only=True)
-    ssvc_trees = serializers.SerializerMethodField()
+    related_ssvc_trees = serializers.SerializerMethodField()
 
-    def get_ssvc_trees(self, obj):
-        ssvc_trees = obj.ssvc_entries.all()
-        return [
-            {
-                "vector": ssvc.vector,
-                "decision": ssvc.decision,
-                "options": ssvc.options,
-            }
-            for ssvc in ssvc_trees
-        ]
+    def get_related_ssvc_trees(self, obj):
+        related_ssvcs = obj.related_ssvcs.all().select_related("source_advisory")
+        source_ssvcs = obj.source_ssvcs.all().select_related("source_advisory")
+
+        seen = set()
+        result = []
+
+        for ssvc in list(related_ssvcs) + list(source_ssvcs):
+            key = (ssvc.vector, ssvc.source_advisory_id)
+            if key in seen:
+                continue
+            seen.add(key)
+
+            result.append(
+                {
+                    "vector": ssvc.vector,
+                    "decision": ssvc.decision,
+                    "options": ssvc.options,
+                    "source_url": ssvc.source_advisory.url,
+                }
+            )
+
+        return result
 
     class Meta:
         model = AdvisoryV2
@@ -172,7 +185,7 @@ class Meta:
             "exploitability",
             "weighted_severity",
             "risk_score",
-            "ssvc_trees",
+            "related_ssvc_trees",
         ]
 
     def get_aliases(self, obj):
diff --git a/vulnerabilities/pipelines/v2_improvers/collect_ssvc_trees.py b/vulnerabilities/pipelines/v2_improvers/collect_ssvc_trees.py
@@ -9,8 +9,11 @@
 
 import logging
 
+from django.db.models import Prefetch
 from django.db.models import Q
+
 from vulnerabilities.models import SSVC
+from vulnerabilities.models import AdvisorySeverity
 from vulnerabilities.models import AdvisoryV2
 from vulnerabilities.pipelines import VulnerableCodePipeline
 from vulnerabilities.pipelines.v2_importers.vulnrichment_importer import VulnrichImporterPipeline
@@ -26,43 +29,60 @@ class CollectSSVCPipeline(VulnerableCodePipeline):
     This pipeline collects SSVC from Vulnrichment project and associates them with existing advisories.
     """
 
-    pipeline_id = "collect_ssvc_tree_v2"
-    spdx_license_expression = "CC0-1.0"
+    pipeline_id = "collect_ssvc_trees"
 
     @classmethod
     def steps(cls):
-        return (
-            cls.collect_ssvc_data,
-        )
+        return (cls.collect_ssvc_data,)
 
     def collect_ssvc_data(self):
-        vulnrichment_advisories = AdvisoryV2.objects.filter(
-            datasource_id=VulnrichImporterPipeline.pipeline_id,
+        vulnrichment_advisories = (
+            AdvisoryV2.objects.filter(
+                datasource_id=VulnrichImporterPipeline.pipeline_id,
+                severities__scoring_system=SCORING_SYSTEMS["ssvc"],
+            )
+            .distinct()
+            .prefetch_related(
+                Prefetch(
+                    "severities",
+                    queryset=AdvisorySeverity.objects.filter(
+                        scoring_system=SCORING_SYSTEMS["ssvc"]
+                    ),
+                )
+            )
+        )
+
+        self.log(
+            f"Found {vulnrichment_advisories.count()} advisories from Vulnrichment with SSVC severities."
         )
         for advisory in vulnrichment_advisories:
-            severities = advisory.severities.filter(scoring_system=SCORING_SYSTEMS["ssvc"])
-            for severity in severities:
+            self.log(f"Processing advisory: {advisory.advisory_id}")
+            for severity in advisory.severities.all():
                 ssvc_vector = severity.scoring_elements
                 try:
                     ssvc_tree, decision = convert_vector_to_tree_and_decision(ssvc_vector)
-                    self.log(f"Advisory: {advisory.advisory_id}, SSVC Tree: {ssvc_tree}, Decision: {decision}, vector: {ssvc_vector}")
+                    self.log(
+                        f"Advisory: {advisory.advisory_id}, SSVC Tree: {ssvc_tree}, Decision: {decision}, vector: {ssvc_vector}"
+                    )
                     ssvc_obj, _ = SSVC.objects.get_or_create(
                         source_advisory=advisory,
                         defaults={
                             "options": ssvc_tree,
                             "decision": decision,
+                            "vector": ssvc_vector,
                         },
                     )
                     # All advisories that have advisory.advisory_id in their aliases or advisory_id same as advisory.advisory_id
                     related_advisories = AdvisoryV2.objects.filter(
-                        Q(advisory_id=advisory.advisory_id) |
-                        Q(aliases__alias=advisory.advisory_id)
+                        Q(advisory_id=advisory.advisory_id) | Q(aliases__alias=advisory.advisory_id)
                     ).distinct()
-                    # remove the current advisory from related advisories
                     related_advisories = related_advisories.exclude(id=advisory.id)
                     ssvc_obj.related_advisories.set(related_advisories)
                 except ValueError as e:
-                    logger.error(f"Failed to parse SSVC vector '{ssvc_vector}' for advisory '{advisory}': {e}")
+                    logger.error(
+                        f"Failed to parse SSVC vector '{ssvc_vector}' for advisory '{advisory}': {e}"
+                    )
+
 
 REVERSE_POINTS = {
     "E": ("Exploitation", {"N": "none", "P": "poc", "A": "active"}),
@@ -82,6 +102,7 @@ def collect_ssvc_data(self):
 
 VECTOR_ORDER = ["E", "A", "T", "P", "B", "M"]
 
+
 def convert_vector_to_tree_and_decision(vector: str):
     """
     Convert a given SSVC vector string into a structured tree and decision.
@@ -114,9 +135,12 @@ def convert_vector_to_tree_and_decision(vector: str):
             name, mapping = REVERSE_POINTS[key]
             options.append({name: mapping[value]})
 
-    # Preserve canonical SSVC order
-    options.sort(key=lambda o: VECTOR_ORDER.index(
-        next(k for k, _ in REVERSE_POINTS.values() if k == next(iter(o)))
-    ) if False else 0)
+    options.sort(
+        key=lambda o: VECTOR_ORDER.index(
+            next(k for k, _ in REVERSE_POINTS.values() if k == next(iter(o)))
+        )
+        if False
+        else 0
+    )
 
     return options, decision
diff --git a/vulnerabilities/templates/advisory_detail.html b/vulnerabilities/templates/advisory_detail.html
@@ -44,13 +44,6 @@
                         </span>
                     </a>
                 </li>
-                <li data-tab="severities-vectors">
-                    <a>
-                        <span>
-                            Severity details ({{ severity_vectors|length }})
-                        </span>
-                    </a>
-                </li>
 
                 {% if advisory.exploits %}
                     <li data-tab="exploits">
@@ -70,6 +63,16 @@
                     </a>
                 </li>
 
+                {% if ssvcs %}
+                    <li data-tab="ssvcs">
+                        <a>
+                            <span>
+                                Related SSVCS ({{ ssvcs|length }})
+                            </span>
+                        </a>
+                    </li>
+                {% endif %}
+
                 <!-- <li data-tab="history">
                     <a>
                         <span>
@@ -402,102 +405,6 @@
                     </tr>
                 {% endfor %}
             </div>
-        
-            <div class="tab-div content" data-content="severities-vectors">
-                {% for severity_vector in severity_vectors %}
-                    {% if severity_vector.vector.version == '2.0'  %}
-                        Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
-                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
-                          <tr>
-                            <th>Exploitability (E)</th>
-                            <th>Access Vector (AV)</th>
-                            <th>Access Complexity (AC)</th>
-                            <th>Authentication (Au)</th>
-                            <th>Confidentiality Impact (C)</th>
-                            <th>Integrity Impact (I)</th>
-                            <th>Availability Impact (A)</th>
-                          </tr>
-                          <tr>
-                            <td>{{ severity_vector.vector.exploitability|cvss_printer:"high,functional,unproven,proof_of_concept,not_defined" }}</td>
-                            <td>{{ severity_vector.vector.accessVector|cvss_printer:"local,adjacent_network,network" }}</td>
-                            <td>{{ severity_vector.vector.accessComplexity|cvss_printer:"high,medium,low" }}</td>
-                            <td>{{ severity_vector.vector.authentication|cvss_printer:"multiple,single,none" }}</td>
-                            <td>{{ severity_vector.vector.confidentialityImpact|cvss_printer:"none,partial,complete" }}</td>
-                            <td>{{ severity_vector.vector.integrityImpact|cvss_printer:"none,partial,complete" }}</td>
-                            <td>{{ severity_vector.vector.availabilityImpact|cvss_printer:"none,partial,complete" }}</td>
-                          </tr>
-                        </table>
-                    {% elif severity_vector.vector.version == '3.1' or severity_vector.vector.version == '3.0'%}
-                        Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
-                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
-                              <tr>
-                                <th>Attack Vector (AV)</th>
-                                <th>Attack Complexity (AC)</th>
-                                <th>Privileges Required (PR)</th>
-                                <th>User Interaction (UI)</th>
-                                <th>Scope (S)</th>
-                                <th>Confidentiality Impact (C)</th>
-                                <th>Integrity Impact (I)</th>
-                                <th>Availability Impact (A)</th>
-                              </tr>
-                              <tr>
-                                <td>{{ severity_vector.vector.attackVector|cvss_printer:"network,adjacent_network,local,physical"}}</td>
-                                <td>{{ severity_vector.vector.attackComplexity|cvss_printer:"low,high" }}</td>
-                                <td>{{ severity_vector.vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
-                                <td>{{ severity_vector.vector.userInteraction|cvss_printer:"none,required"}}</td>
-                                <td>{{ severity_vector.vector.scope|cvss_printer:"unchanged,changed" }}</td>
-                                <td>{{ severity_vector.vector.confidentialityImpact|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.integrityImpact|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.availabilityImpact|cvss_printer:"high,low,none" }}</td>
-                              </tr>
-                            </table>
-                    {% elif severity_vector.vector.version == '4' %}
-                        Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
-                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
-                              <tr>
-                                <th>Attack Vector (AV)</th>
-                                <th>Attack Complexity (AC)</th>
-                                <th>Attack Requirements (AT)</th>
-                                <th>Privileges Required (PR)</th>
-                                <th>User Interaction (UI)</th>
-
-                                <th>Vulnerable System Impact Confidentiality (VC)</th>
-                                <th>Vulnerable System Impact Integrity (VI)</th>
-                                <th>Vulnerable System Impact Availability (VA)</th>
-
-                                <th>Subsequent System Impact Confidentiality (SC)</th>
-                                <th>Subsequent System Impact Integrity (SI)</th>
-                                <th>Subsequent System Impact Availability (SA)</th>
-                              </tr>
-                              <tr>
-                                <td>{{ severity_vector.vector.attackVector|cvss_printer:"network,adjacent,local,physical"}}</td>
-                                <td>{{ severity_vector.vector.attackComplexity|cvss_printer:"low,high" }}</td>
-                                <td>{{ severity_vector.vector.attackRequirement|cvss_printer:"none,present" }}</td>
-                                <td>{{ severity_vector.vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
-                                <td>{{ severity_vector.vector.userInteraction|cvss_printer:"none,passive,active"}}</td>
-
-                                <td>{{ severity_vector.vector.vulnerableSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.vulnerableSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.vulnerableSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>
-
-                                <td>{{ severity_vector.vector.subsequentSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.subsequentSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
-                                <td>{{ severity_vector.vector.subsequentSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>
-                              </tr>
-                            </table>
-                    {% elif severity_vector.vector.version == 'ssvc' %}
-                        <hr/>
-                        Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
-                        <hr/>
-                    {% endif %}
-                    {% empty %}
-                        <tr>
-                            <td>
-                                There are no known vectors.
-                            </td>
-                        </tr>
-                    {% endfor %}
-            </div>
 
         
             <div class="tab-div content" data-content="epss">
@@ -543,6 +450,45 @@
                 {% endif %}
             </div>
 
+            <div class="tab-div content" data-content="ssvcs">
+                {% if ssvcs %}
+                  {% for ssvc in ssvcs %}
+                    <div class="box ssvc-card mb-0 pb-0">
+                        <div>
+                            <p>
+                              Vector: {{ ssvc.vector }}
+                            </p>
+                            <p>
+                              Decision: {{ ssvc.decision }}
+                            </p>
+                        <p>
+                          Source URL:
+                          <a href="{{ ssvc.advisory_url }}" target="_blank">
+                            {{ ssvc.advisory_url }}
+                            <i class="fa fa-external-link fa_link_custom"></i>
+                          </a>
+                        </p>
+                        <p>
+                          Source Advisory:
+                          <a href="{{ ssvc.advisory.get_absolute_url }}">
+                            {{ ssvc.advisory.avid }}
+                            <i class="fa fa-external-link fa_link_custom"></i>
+                          </a>
+                        </p>
+                          <details>
+                            <summary class="is-size-7 has-text-link" style="cursor: pointer;">
+                              View SSVC decision tree
+                            </summary>
+                            <pre>{{ ssvc.options|pprint }}</pre>
+                          </details>
+                        </div>
+                    </div>
+                  {% endfor %}
+                {% else %}
+                  <p>There are no SSVC decisions available.</p>
+                {% endif %}
+              </div>
+
         <!-- <div class="tab-div content" data-content="history">
             <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
                 <thead>
diff --git a/vulnerabilities/tests/test_api_v2.py b/vulnerabilities/tests/test_api_v2.py
@@ -857,7 +857,7 @@ def setUp(self):
 
     def test_list_with_purl_filter(self):
         url = reverse("advisories-package-v2-list")
-        with self.assertNumQueries(17):
+        with self.assertNumQueries(19):
             response = self.client.get(url, {"purl": "pkg:pypi/sample@1.0.0"})
         assert response.status_code == 200
         assert "packages" in response.data["results"]
@@ -866,7 +866,7 @@ def test_list_with_purl_filter(self):
 
     def test_bulk_lookup(self):
         url = reverse("advisories-package-v2-bulk-lookup")
-        with self.assertNumQueries(16):
+        with self.assertNumQueries(18):
             response = self.client.post(url, {"purls": ["pkg:pypi/sample@1.0.0"]}, format="json")
         assert response.status_code == 200
         assert "packages" in response.data
@@ -876,7 +876,7 @@ def test_bulk_lookup(self):
     def test_bulk_search_plain(self):
         url = reverse("advisories-package-v2-bulk-search")
         payload = {"purls": ["pkg:pypi/sample@1.0.0"], "plain_purl": True, "purl_only": False}
-        with self.assertNumQueries(16):
+        with self.assertNumQueries(18):
             response = self.client.post(url, payload, format="json")
         assert response.status_code == 200
         assert "packages" in response.data
@@ -885,14 +885,14 @@ def test_bulk_search_plain(self):
     def test_bulk_search_purl_only(self):
         url = reverse("advisories-package-v2-bulk-search")
         payload = {"purls": ["pkg:pypi/sample@1.0.0"], "plain_purl": False, "purl_only": True}
-        with self.assertNumQueries(14):
+        with self.assertNumQueries(16):
             response = self.client.post(url, payload, format="json")
         assert response.status_code == 200
         assert "pkg:pypi/sample@1.0.0" in response.data
 
     def test_lookup_single_package(self):
         url = reverse("advisories-package-v2-lookup")
-        with self.assertNumQueries(12):
+        with self.assertNumQueries(16):
             response = self.client.post(url, {"purl": "pkg:pypi/sample@1.0.0"}, format="json")
         assert response.status_code == 200
         assert any(pkg["purl"] == "pkg:pypi/sample@1.0.0" for pkg in response.data)
diff --git a/vulnerabilities/views.py b/vulnerabilities/views.py
