Use impact to determine suitable fix for affected pkg

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/models.py

@@ -3152,65 +3152,6 @@ def get_absolute_url(self):
     def current_version(self):
         return self.version_class(self.version)
 
-    def get_affecting_vulnerabilities(self):
-        """
-        Return a list of vulnerabilities that affect this package together with information regarding
-        the versions that fix the vulnerabilities.
-        """
-        if self.version_rank == 0:
-            self.calculate_version_rank
-        package_details_advs = []
-
-        fixed_by_packages = PackageV2.objects.get_fixed_by_package_versions(self, fix=True)
-
-        package_advisories = self.affected_by_advisories.prefetch_related(
-            Prefetch(
-                "fixed_by_packages",
-                queryset=fixed_by_packages,
-                to_attr="fixed_packages",
-            )
-        )
-
-        for adv in package_advisories:
-            package_details_advs.append({"advisory": adv})
-            later_fixed_packages = []
-
-            for fixed_pkg in adv.fixed_by_packages.all():
-                if fixed_pkg not in fixed_by_packages:
-                    continue
-                fixed_version = self.version_class(fixed_pkg.version)
-                if fixed_version > self.current_version:
-                    later_fixed_packages.append(fixed_pkg)
-
-            next_fixed_package_vulns = []
-
-            sort_fixed_by_packages_by_version = []
-            if later_fixed_packages:
-                sort_fixed_by_packages_by_version = sorted(
-                    later_fixed_packages, key=lambda p: p.version_rank
-                )
-
-            fixed_by_pkgs = []
-
-            for vuln_details in package_details_advs:
-                if vuln_details["advisory"] != adv:
-                    continue
-                vuln_details["fixed_by_purl"] = []
-                vuln_details["fixed_by_purl_advisories"] = []
-
-                for fixed_by_pkg in sort_fixed_by_packages_by_version:
-                    fixed_by_package_details = {}
-                    fixed_by_purl = PackageURL.from_string(fixed_by_pkg.purl)
-                    next_fixed_package_vulns = list(fixed_by_pkg.affected_by_advisories.all())
-
-                    fixed_by_package_details["fixed_by_purl"] = fixed_by_purl
-                    fixed_by_package_details["fixed_by_purl_advisories"] = next_fixed_package_vulns
-                    fixed_by_pkgs.append(fixed_by_package_details)
-
-                    vuln_details["fixed_by_package_details"] = fixed_by_pkgs
-
-        return package_details_advs
-
 
 class AdvisoryExploit(models.Model):
     """

vulnerabilities/templates/advisory_package_details.html

@@ -6,83 +6,62 @@
 {% load url_filters %}
 
 {% block title %}
-VulnerableCode Advisory Package Details - {{ advisory.advisory_id }}
+VulnerableCode Advisory Package Details - {{ advisoryv2.advisory_id }}
 {% endblock %}
 
 {% block content %}
 
-{% if advisory %}
-<section class="section pt-0">
-    <div class="details-container">
-        <article class="panel is-info panel-header-only">
-            <div class="panel-heading py-2 is-size-6">
-                Vulnerable and Fixing Package details for Advisory:
-                <span class="tag is-white custom">
-                    {{ advisory.advisory_id }}
-                </span>
-            </div>
-        </article>
-            <div id="tab-content">
-                <table class="table vcio-table width-100-pct mt-2">
-                    <thead>
-                        <tr>
-                            <th style="width: 50%;">Affected</th>
-                            <th>Fixed by</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                        {% for package in affected_packages %}
-                        <tr>
-                            <td>
-                                <a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
-                            </td>
-                            <td>
-
-                                {% for match in all_affected_fixed_by_matches %}
-                                    {% if match.affected_package == package %}
-                                        {% if match.matched_fixed_by_packages|length > 0 %}
-                                            {% for pkg in match.matched_fixed_by_packages %}
-                                                <a href="/packages/{{ pkg }}?search={{ pkg }}" target="_self">{{ pkg }}</a>
-                                                <br />
-                                            {% endfor %}
-                                        {% else %}
+{% if advisoryv2 %}
+    <section class="section pt-0">
+        <div class="details-container">
+            <article class="panel is-info panel-header-only">
+                <div class="panel-heading py-2 is-size-6">
+                    Vulnerable and Fixing Package details for Advisory:
+                    <span class="tag is-white custom">
+                        {{ advisoryv2.advisory_id }}
+                    </span>
+                </div>
+            </article>
+                <div id="tab-content">
+                    <table class="table vcio-table width-100-pct mt-2">
+                        <thead>
+                            <tr>
+                                <th style="width: 50%;">Affected</th>
+                                <th>Fixed by</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {% for impact in advisoryv2.impacted_packages.all %}
+                                <tr>
+                                    <td>
+                                        {% for package in impact.affecting_packages.all %}
+                                            <a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
+                                            <br />
+                                        {% endfor %}
+                                    </td>
+                                    <td>
+                                        {% for package in impact.fixed_by_packages.all %}
+                                            <a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
+                                            <br />
+                                        {% empty %}
                                             <span class="emphasis-vulnerable">There are no reported fixed by versions.</span>
-                                        {% endif %}
-                                    {% endif %}
-                                {% endfor %}
-
-                            </td>
-                        </tr>
-                        {% empty %}
-                        <tr>
-                            <td colspan="2">
-                                This vulnerability is not known to affect any packages.
-                            </td>
-                        </tr>
-                        {% endfor %}
-                    </tbody>
-                </table>
-            </div>
-    </div>
-</section>
+                                        {% endfor %}
+                                    </td>
+                                </tr>
+                            {% empty %}
+                                <tr>
+                                    <td colspan="2">
+                                        This vulnerability is not known to affect any packages.
+                                    </td>
+                                </tr>
+                            {% endfor %}
+                        </tbody>
+                    </table>
+                </div>
+        </div>
+    </section>
 {% endif %}
 
 <script src="{% static 'js/main.js' %}" crossorigin="anonymous"></script>
 
-<script>
-    function goToTab(tabName) {
-        const activeLink = document.querySelector('div.tabs.is-boxed li.is-active');
-        const activeTabContent = document.querySelector('div.tab-div.is-active');
-
-        activeLink.classList.remove('is-active');
-        activeTabContent.classList.remove('is-active');
-
-        const target_id = document.querySelector(`[data-tab='${tabName}']`);
-        const targetTabContent = document.querySelector(`[data-content='${tabName}']`);
-
-        target_id.classList.add('is-active');
-        targetTabContent.classList.add('is-active');
-    }
-</script>
-
 {% endblock %}

vulnerabilities/views.py

@@ -616,37 +616,25 @@ def get_queryset(self):
             .get_queryset()
             .prefetch_related(
                 Prefetch(
-                    "affecting_packages",
-                    queryset=models.PackageV2.objects.only("type", "namespace", "name", "version"),
-                ),
-                Prefetch(
-                    "fixed_by_packages",
-                    queryset=models.PackageV2.objects.only("type", "namespace", "name", "version"),
-                ),
+                    "impacted_packages",
+                    queryset=models.ImpactedPackage.objects.prefetch_related(
+                        Prefetch(
+                            "affecting_packages",
+                            queryset=models.PackageV2.objects.only(
+                                "type", "namespace", "name", "version"
+                            ),
+                        ),
+                        Prefetch(
+                            "fixed_by_packages",
+                            queryset=models.PackageV2.objects.only(
+                                "type", "namespace", "name", "version"
+                            ),
+                        ),
+                    ),
+                )
             )
         )
 
-    def get_context_data(self, **kwargs):
-        """
-        Build context with preloaded QuerySets and minimize redundant queries.
-        """
-        context = super().get_context_data(**kwargs)
-        advisory = self.object
-        (
-            sorted_fixed_by_packages,
-            sorted_affected_packages,
-            all_affected_fixed_by_matches,
-        ) = advisory.aggregate_fixed_and_affected_packages()
-        context.update(
-            {
-                "affected_packages": sorted_affected_packages,
-                "fixed_by_packages": sorted_fixed_by_packages,
-                "all_affected_fixed_by_matches": all_affected_fixed_by_matches,
-                "advisory": advisory,
-            }
-        )
-        return context
-
 
 class PipelineScheduleListView(ListView, FormMixin):
     model = PipelineSchedule