Get related advisory using impacted pkg in v2 pkg details view

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/models.py

@@ -3112,23 +3112,6 @@ def calculate_version_rank(self):
             PackageV2.objects.bulk_update(sorted_packages, fields=["version_rank"])
         return self.version_rank
 
-    @property
-    def fixed_package_details(self):
-        """
-        Return a mapping of vulnerabilities that affect this package and the next and
-        latest non-vulnerable versions.
-        """
-        package_details = {}
-        package_details["purl"] = PackageURL.from_string(self.purl)
-
-        next_non_vulnerable, latest_non_vulnerable = self.get_non_vulnerable_versions()
-        package_details["next_non_vulnerable"] = next_non_vulnerable
-        package_details["latest_non_vulnerable"] = latest_non_vulnerable
-
-        package_details["advisories"] = self.get_affecting_vulnerabilities()
-
-        return package_details
-
     def get_non_vulnerable_versions(self):
         """
         Return a tuple of the next and latest non-vulnerable versions as Package instance.

vulnerabilities/templates/package_details_v2.html

@@ -3,6 +3,7 @@
 {% load widget_tweaks %}
 {% load static %}
 {% load url_filters %}
+{% load utils %}
 
 {% block title %}
 VulnerableCode Package Details - {{ package.purl }}
@@ -60,7 +61,7 @@
                                         </span>
                                     </td>
                                     <td class="two-col-right">
-                                        {{ fixed_package_details.purl.to_string }}
+                                        {{ package.purl }}
                                     </td>
                                 </tr>
                                 {% if package.is_ghost %}
@@ -91,9 +92,9 @@
                                         Next non-vulnerable version
                                     </td>
                                     <td class="two-col-right">
-                                        {% if fixed_package_details.next_non_vulnerable.version %}
-                                        <a href="/packages/v2/{{ fixed_package_details.next_non_vulnerable|url_quote }}?search={{ fixed_package_details.next_non_vulnerable }}"
-                                            target="_self">{{ fixed_package_details.next_non_vulnerable.version }}</a>
+                                        {% if next_non_vulnerable.version %}
+                                        <a href="/packages/v2/{{ next_non_vulnerable|url_quote }}?search={{ next_non_vulnerable }}"
+                                            target="_self">{{ next_non_vulnerable.version }}</a>
                                         {% else %}
                                         <span class="emphasis-vulnerable">None.</span>
                                         {% endif %}
@@ -104,9 +105,9 @@
                                         Latest non-vulnerable version
                                     </td>
                                     <td class="two-col-right">
-                                        {% if fixed_package_details.latest_non_vulnerable.version %}
-                                        <a href="/packages/v2/{{ fixed_package_details.latest_non_vulnerable|url_quote }}?search={{ fixed_package_details.latest_non_vulnerable }}"
-                                            target="_self">{{ fixed_package_details.latest_non_vulnerable.version }}</a>
+                                        {% if latest_non_vulnerable.version %}
+                                        <a href="/packages/v2/{{ latest_non_vulnerable|url_quote }}?search={{ latest_non_vulnerable }}"
+                                            target="_self">{{ latest_non_vulnerable.version }}</a>
                                         {% else %}
                                         <span class="emphasis-vulnerable">None.</span>
                                         {% endif %}
@@ -175,66 +176,22 @@
                                         {{ advisory.summary }}
                                     </td>
                                     <td style="word-wrap: break-word; word-break: break-all;">
-                                        {% if package.purl == fixed_package_details.purl.to_string %}
-                                        {% for key, value in fixed_package_details.items %}
-                                        {% if key == "advisories" %}
-                                        {% for vuln in value %}
-                                        {% if vuln.advisory.advisory_id == advisory.advisory_id %}
-                                        {% if vuln.fixed_by_package_details is None %}
-                                        <span class="emphasis-vulnerable">There are no reported fixed by versions.</span>
-                                        {% else %}
-                                        {% for fixed_pkg in vuln.fixed_by_package_details %}
-                                            <section>
-                                                {% if fixed_pkg.fixed_by_purl_advisories|length == 0 %}
-                                                <a href="/packages/v2/{{ fixed_pkg.fixed_by_purl|url_quote }}?search={{ fixed_pkg.fixed_by_purl }}"
-                                                    target="_self">{{ fixed_pkg.fixed_by_purl.version }}</a>
-                                                <br />
-                                                <span class="emphasis-not-vulnerable">Subject of 0 other advisories.</span>
-                                                {% else %}
-                                                <a href="/packages/v2/{{ fixed_pkg.fixed_by_purl|url_quote }}?search={{ fixed_pkg.fixed_by_purl }}"
-                                                    target="_self">{{ fixed_pkg.fixed_by_purl.version }}</a>
-                                                {% if fixed_pkg.fixed_by_purl_advisories|length != 1 %}
-                                                <br />
-                                                <span class="emphasis-vulnerable">Subject of {{ fixed_pkg.fixed_by_purl_advisories|length }} other
-                                                    advisory.</span>
-                                                {% else %}
-                                                <br />
-                                                <span class="emphasis-vulnerable">Subject of {{ fixed_pkg.fixed_by_purl_advisories|length }} other
-                                                    advisory.</span>
-                                                {% endif %}
-
-                                                <div class="dropdown is-hoverable has-text-weight-normal is-right">
-                                                    <div class="dropdown-trigger">
-                                                        <i
-                                                            class="fa fa-question-circle ml-0 fa-sm has-background-white has-text-link"></i>
-                                                    </div>
-                                                    <div class="dropdown-menu dropdown-vuln-list-width" id="dropdown-menu4"
-                                                        role="menu">
-                                                        <div class="dropdown-content dropdown-instructions-box-shadow">
-                                                            <div class="dropdown-item">
-                                                                <div style="max-height: 200px; overflow-y: auto;">
-                                                                    This version is subject of other advisories:
-                                                                    <div style="padding-top: 5px;">
-                                                                        {% for fixed_by_vuln in fixed_pkg.fixed_by_purl_advisories %}
-                                                                        <div>
-                                                                            {{fixed_by_vuln.advisory_id }}
-                                                                        </div>
-                                                                        {% endfor %}
-                                                                    </div>
-                                                                </div>
-                                                            </div>
-                                                        </div>
-                                                    </div>
-                                                </div>
-                                                {% endif %}
-                                            </section>
-                                        {% endfor %}
-                                        {% endif %}
-                                        {% endif %}
-                                        {% endfor %}
-                                        {% endif %}
-                                        {% endfor %}
-                                        {% endif %}
+                                        {% with fixed=fixed_package_details|get_item:advisory.id %}
+                                            {% if fixed %}
+                                                {% for item in fixed %}
+                                                <section>
+                                                    <a href="/packages/v2/{{ item.pkg.purl|url_quote }}?search={{ item.pkg.purl }}"
+                                                        target="_self">{{ item.pkg.version }}</a>
+                                                    <br/>
+                                                    <span class="{{ item.affected_count|yesno:'emphasis-vulnerable,emphasis-not-vulnerable' }}">
+                                                        Subject of {{ item.affected_count }} other advisories.
+                                                    </span>
+                                                </section>
+                                                {% endfor %}
+                                            {% else %}
+                                                <span class="emphasis-vulnerable">There are no reported fixed by versions.</span>
+                                            {% endif %}
+                                        {% endwith %}
                                     </td>
                                 </tr>
                                 {% empty %}

vulnerabilities/templatetags/utils.py

@@ -34,3 +34,8 @@ def active_item(context, url_name):
         if request.resolver_match.url_name == url_name:
             return "is-active"
     return ""
+
+
+@register.filter
+def get_item(dictionary, key):
+    return dictionary.get(key)

vulnerabilities/views.py

@@ -34,6 +34,7 @@
 from vulnerabilities.forms import PackageSearchForm
 from vulnerabilities.forms import PipelineSchedulePackageForm
 from vulnerabilities.forms import VulnerabilitySearchForm
+from vulnerabilities.models import ImpactedPackage
 from vulnerabilities.models import PipelineRun
 from vulnerabilities.models import PipelineSchedule
 from vulnerabilities.severity_systems import EPSS
@@ -186,18 +187,51 @@ class PackageV2Details(DetailView):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         package = self.object
+        next_non_vulnerable, latest_non_vulnerable = package.get_non_vulnerable_versions()
+        fixed_pkg_details = {}
+        for impact in package.affected_in_impacts.all():
+            if impact.advisory.id not in fixed_pkg_details:
+                fixed_pkg_details[impact.advisory.id] = []
+            fixed_pkg_details[impact.advisory.id].extend(
+                [
+                    {"pkg": pkg, "affected_count": pkg.affected_in_impacts.count()}
+                    for pkg in impact.fixed_by_packages.all()
+                ]
+            )
         context["package"] = package
-        context["affected_by_advisories"] = package.affected_by_advisories.order_by("advisory_id")
+        context["next_non_vulnerable"] = next_non_vulnerable
+        context["latest_non_vulnerable"] = latest_non_vulnerable
+        context["affected_by_advisories"] = {
+            impact.advisory for impact in package.affected_in_impacts.all()
+        }
         # Ghost package should not fix any vulnerability.
-        context["fixing_advisories"] = (
-            None if package.is_ghost else package.fixing_advisories.order_by("advisory_id")
-        )
+        if not package.is_ghost:
+            context["fixing_advisories"] = {
+                impact.advisory for impact in package.fixed_in_impacts.all()
+            }
+
         context["package_search_form"] = PackageSearchForm(self.request.GET)
-        context["fixed_package_details"] = package.fixed_package_details
+        context["fixed_package_details"] = fixed_pkg_details
 
         # context["history"] = list(package.history)
         return context
 
+    def get_queryset(self):
+        return (
+            super()
+            .get_queryset()
+            .prefetch_related(
+                Prefetch(
+                    "affected_in_impacts",
+                    queryset=ImpactedPackage.objects.select_related("advisory"),
+                ),
+                Prefetch(
+                    "fixed_in_impacts",
+                    queryset=ImpactedPackage.objects.select_related("advisory"),
+                ),
+            )
+        )
+
     def get_object(self, queryset=None):
         if queryset is None:
             queryset = self.get_queryset()