Group advisories with alias and affected packages

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/improvers/__init__.py

@@ -32,6 +32,7 @@
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
+from vulnerabilities.pipelines.v2_improvers import group_advisories_for_packages
 from vulnerabilities.pipelines.v2_improvers import relate_severities
 from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
 from vulnerabilities.utils import create_registry
@@ -76,5 +77,6 @@
         collect_ssvc_trees.CollectSSVCPipeline,
         relate_severities.RelateSeveritiesPipeline,
         compute_advisory_content_hash.ComputeAdvisoryContentHash,
+        group_advisories_for_packages.GroupAdvisoriesForPackages,
     ]
 )

vulnerabilities/migrations/0118_advisoryset_advisorysetmember.py

@@ -0,0 +1,71 @@
+# Generated by Django 5.2.11 on 2026-03-25 10:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0117_advisoryv2_risk_score"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AdvisorySet",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "relation_type",
+                    models.CharField(
+                        choices=[("affecting", "Affecting"), ("fixing", "Fixing")], max_length=20
+                    ),
+                ),
+                ("identifiers", models.JSONField()),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.packagev2"
+                    ),
+                ),
+                (
+                    "primary_advisory",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.PROTECT, to="vulnerabilities.advisoryv2"
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name="AdvisorySetMember",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("is_primary", models.BooleanField(default=False)),
+                (
+                    "advisory",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.advisoryv2"
+                    ),
+                ),
+                (
+                    "advisory_set",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="members",
+                        to="vulnerabilities.advisoryset",
+                    ),
+                ),
+            ],
+        ),
+    ]

vulnerabilities/models.py

@@ -2920,6 +2920,53 @@ def latest_advisories_for_purls(self, purls):
         qs = self.filter(id__in=Subquery(adv_ids))
         return qs.latest_per_avid()
 
+    def latest_advisories_for_purl(self, purl):
+        adv_ids = (
+            ImpactedPackageAffecting.objects.filter(package__package_url=purl)
+            .values_list(
+                "impacted_package__advisory_id",
+                flat=True,
+            )
+            .union(
+                ImpactedPackageFixedBy.objects.filter(package__package_url=purl).values_list(
+                    "impacted_package__advisory_id",
+                    flat=True,
+                )
+            )
+        )
+
+        qs = self.filter(id__in=Subquery(adv_ids))
+        return qs.latest_per_avid()
+
+
+class AdvisorySet(models.Model):
+
+    RELATION_TYPE_CHOICES = [
+        ("affecting", "Affecting"),
+        ("fixing", "Fixing"),
+    ]
+
+    package = models.ForeignKey("PackageV2", on_delete=models.CASCADE)
+    relation_type = models.CharField(max_length=20, choices=RELATION_TYPE_CHOICES)
+
+    identifiers = models.JSONField()
+
+    primary_advisory = models.ForeignKey("AdvisoryV2", on_delete=models.PROTECT)
+
+    created_at = models.DateTimeField(auto_now_add=True)
+
+
+class AdvisorySetMember(models.Model):
+
+    advisory_set = models.ForeignKey(
+        AdvisorySet,
+        on_delete=models.CASCADE,
+        related_name="members",
+    )
+
+    advisory = models.ForeignKey("AdvisoryV2", on_delete=models.CASCADE)
+    is_primary = models.BooleanField(default=False)
+
 
 class AdvisoryV2(models.Model):
     """
@@ -3085,6 +3132,9 @@ def save(self, *args, **kwargs):
         self.full_clean()
         return super().save(*args, **kwargs)
 
+    def __str__(self):
+        return self.avid
+
     @property
     def get_status_label(self):
         label_by_status = {choice[0]: choice[1] for choice in VulnerabilityStatusType.choices}

vulnerabilities/pipelines/v2_improvers/group_advisories_for_packages.py

@@ -0,0 +1,172 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from collections import defaultdict
+
+from django.db import transaction
+
+from vulnerabilities.models import AdvisorySet
+from vulnerabilities.models import AdvisorySetMember
+from vulnerabilities.models import AdvisoryV2
+from vulnerabilities.models import PackageV2
+from vulnerabilities.pipelines import VulnerableCodePipeline
+from vulnerabilities.utils import compute_advisory_content
+
+
+class GroupAdvisoriesForPackages(VulnerableCodePipeline):
+    """Detect and flag packages that do not exist upstream."""
+
+    pipeline_id = "group_advisories_for_packages"
+
+    @classmethod
+    def steps(cls):
+        return (cls.group_advisories_for_packages,)
+
+    def group_advisories_for_packages(self):
+        group_advisoris_for_packages(logger=self.log)
+
+
+def merge_advisories(advisories):
+
+    advisories = list(advisories)
+
+    content_hash_map = defaultdict(list)
+    result_groups = []
+
+    for adv in advisories:
+
+        if adv.advisory_content_hash:
+            content_hash_map[adv.advisory_content_hash].append(adv)
+        else:
+            content_hash = compute_advisory_content(advisory_data=adv)
+            if content_hash:
+                content_hash_map[content_hash].append(adv)
+            else:
+                result_groups.append([adv])
+
+    final_groups = []
+
+    for group in content_hash_map.values():
+        groups = get_merged_identifier_groups(group)
+        final_groups.extend(groups)
+
+    return final_groups
+
+
+def get_merged_identifier_groups(advisories):
+
+    identifier_groups = defaultdict(set)
+    advisory_to_identifiers = defaultdict(set)
+
+    advisories = list(advisories)
+
+    for adv in advisories:
+
+        identifier_groups[adv.advisory_id].add(adv)
+        advisory_to_identifiers[adv].add(adv.advisory_id)
+
+        for alias in adv.aliases.all():
+            identifier_groups[alias.alias].add(adv)
+            advisory_to_identifiers[adv].add(alias.alias)
+
+    groups = [set(advs) for advs in identifier_groups.values() if len(advs) > 1]
+
+    merged = []
+
+    for group in groups:
+        group = set(group)
+
+        i = 0
+        while i < len(merged):
+            if group & merged[i]:
+                group |= merged[i]
+                merged.pop(i)
+            else:
+                i += 1
+
+        merged.append(group)
+
+    all_grouped = set()
+    for g in merged:
+        all_grouped |= g
+
+    for adv in advisories:
+        if adv not in all_grouped:
+            merged.append({adv})
+
+    final_groups = []
+
+    for group in merged:
+        identifiers = set()
+        for adv in group:
+            for alias in adv.aliases.values_list("alias", flat=True):
+                identifiers.add(alias)
+
+        primary = max(group, key=lambda a: a.precedence if a.precedence is not None else -1)
+
+        secondary = [a for a in group if a != primary]
+
+        final_groups.append((identifiers, primary, secondary))
+
+    return final_groups
+
+
+def group_advisoris_for_packages(logger=None):
+    for package in PackageV2.objects.iterator():
+        affecting_advisories = AdvisoryV2.objects.latest_affecting_advisories_for_purl(
+            purl=package.purl
+        ).prefetch_related("aliases")
+
+        fixed_by_advisories = AdvisoryV2.objects.latest_fixed_by_advisories_for_purl(
+            purl=package.purl
+        ).prefetch_related("aliases")
+
+        try:
+            delete_and_save_advisory_set(package, affecting_advisories, relation="affecting")
+            delete_and_save_advisory_set(package, fixed_by_advisories, relation="fixing")
+        except Exception as e:
+            print(f"Failed rebuilding advisory sets for package {package.purl}: {e!r}")
+            continue
+
+
+@transaction.atomic
+def delete_and_save_advisory_set(package, advisories, relation=None):
+    AdvisorySet.objects.filter(package=package, relation_type=relation).delete()
+
+    groups = merge_advisories(advisories)
+
+    membership_to_create = []
+
+    for identifiers, primary, secondary in groups:
+
+        advisory_set = AdvisorySet.objects.create(
+            package=package,
+            relation_type=relation,
+            identifiers=list(identifiers),
+            primary_advisory=primary,
+        )
+
+        membership_to_create.append(
+            AdvisorySetMember(
+                advisory_set=advisory_set,
+                advisory=primary,
+                is_primary=True,
+            )
+        )
+
+        for adv in secondary:
+            membership_to_create.append(
+                AdvisorySetMember(
+                    advisory_set=advisory_set,
+                    advisory=adv,
+                    is_primary=False,
+                )
+            )
+
+    AdvisorySetMember.objects.bulk_create(membership_to_create)