Replace reference with V2

TG1999 · TG1999 · commit 822bcfef99ea · 2025-07-03T21:02:15.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -42,6 +42,9 @@
 from vulnerabilities.pipelines import pypa_importer
 from vulnerabilities.pipelines import pysec_importer
 from vulnerabilities.pipelines.v2_importers import apache_httpd_importer as apache_httpd_v2
+from vulnerabilities.pipelines.v2_importers import (
+    elixir_security_importer as elixir_security_importer_v2,
+)
 from vulnerabilities.pipelines.v2_importers import github_importer as github_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import npm_importer as npm_importer_v2
@@ -54,6 +57,7 @@
 IMPORTERS_REGISTRY = create_registry(
     [
         nvd_importer_v2.NVDImporterPipeline,
+        elixir_security_importer_v2.ElixirSecurityImporterPipeline,
         github_importer_v2.GitHubAPIImporterPipeline,
         npm_importer_v2.NpmImporterPipeline,
         vulnrichment_importer_v2.VulnrichImporterPipeline,
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -23,6 +23,7 @@
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
 from vulnerabilities.utils import build_description
@@ -268,7 +269,7 @@ def get_references_v2(raw_data) -> List[Reference]:
         if not url:
             logger.error(f"Reference without URL : {ref!r} for OSV id: {raw_data['id']!r}")
             continue
-        references.append(Reference(url=ref["url"]))
+        references.append(ReferenceV2(url=ref["url"]))
     return references
 
 
diff --git a/vulnerabilities/pipelines/v2_importers/apache_httpd_importer.py b/vulnerabilities/pipelines/v2_importers/apache_httpd_importer.py
@@ -21,7 +21,7 @@
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.severity_systems import APACHE_HTTPD
@@ -260,7 +260,7 @@ def to_advisory(self, data):
                     )
                 )
                 break
-        reference = Reference(
+        reference = ReferenceV2(
             reference_id=alias,
             url=urllib.parse.urljoin(self.base_url, f"{alias}.json"),
         )
diff --git a/vulnerabilities/pipelines/v2_importers/elixir_security_importer.py b/vulnerabilities/pipelines/v2_importers/elixir_security_importer.py
@@ -18,7 +18,7 @@
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import is_cve
 from vulnerabilities.utils import load_yaml
@@ -83,7 +83,7 @@ def process_file(self, file, base_path) -> Iterable[AdvisoryData]:
         references = []
         link = yaml_file.get("link") or ""
         if link:
-            references.append(Reference(url=link))
+            references.append(ReferenceV2(url=link))
 
         constraints = []
         vrc = HexVersionRange.version_class
diff --git a/vulnerabilities/pipelines/v2_importers/github_importer.py b/vulnerabilities/pipelines/v2_importers/github_importer.py
@@ -24,7 +24,7 @@
 from vulnerabilities import utils
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import dedupe
@@ -271,7 +271,7 @@ def process_response(
         references = get_item(advisory, "references") or []
         if references:
             urls = (ref["url"] for ref in references)
-            references = [Reference.from_url(u) for u in urls]
+            references = [ReferenceV2.from_url(u) for u in urls]
 
         date_published = get_item(advisory, "publishedAt")
         if date_published:
diff --git a/vulnerabilities/pipelines/v2_importers/gitlab_importer.py b/vulnerabilities/pipelines/v2_importers/gitlab_importer.py
@@ -26,7 +26,7 @@
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import build_description
 from vulnerabilities.utils import get_advisory_url
@@ -237,9 +237,7 @@ def parse_gitlab_advisory(
         aliases.remove(advisory_id)
     summary = build_description(gitlab_advisory.get("title"), gitlab_advisory.get("description"))
     urls = gitlab_advisory.get("urls")
-    references = [Reference.from_url(u) for u in urls]
-
-    print(references)
+    references = [ReferenceV2.from_url(u) for u in urls]
 
     cwe_ids = gitlab_advisory.get("cwe_ids") or []
     cwe_list = list(map(get_cwe_id, cwe_ids))
@@ -264,7 +262,7 @@ def parse_gitlab_advisory(
         return AdvisoryData(
             aliases=aliases,
             summary=summary,
-            references=references,
+            references_v2=references,
             date_published=date_published,
             url=advisory_url,
         )
diff --git a/vulnerabilities/pipelines/v2_importers/npm_importer.py b/vulnerabilities/pipelines/v2_importers/npm_importer.py
@@ -20,7 +20,7 @@
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.severity_systems import CVSSV2
@@ -100,14 +100,14 @@ def to_advisory_data(self, file: Path) -> Iterable[AdvisoryData]:
             self.log(f"Advisory ID not found in {file}")
             return
 
-        advisory_reference = Reference(
+        advisory_reference = ReferenceV2(
             url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
             reference_id=id,
         )
 
         for ref in data.get("references") or []:
             references.append(
-                Reference(
+                ReferenceV2(
                     url=ref,
                 )
             )
diff --git a/vulnerabilities/pipelines/v2_importers/nvd_importer.py b/vulnerabilities/pipelines/v2_importers/nvd_importer.py
@@ -20,7 +20,7 @@
 
 from vulnerabilities import severity_systems
 from vulnerabilities.importer import AdvisoryData
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import get_cwe_id
@@ -267,11 +267,11 @@ def references(self):
         # we track each CPE as a reference for now
         for cpe in self.cpes:
             cpe_url = f"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query={cpe}"
-            references.append(Reference(reference_id=cpe, url=cpe_url))
+            references.append(ReferenceV2(reference_id=cpe, url=cpe_url))
 
         # FIXME: we also add the CVE proper as a reference, but is this correct?
         references.append(
-            Reference(
+            ReferenceV2(
                 url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}",
                 reference_id=self.cve_id,
             )
@@ -283,7 +283,7 @@ def references(self):
             for ru in self.reference_urls
             if ru != f"https://nvd.nist.gov/vuln/detail/{self.cve_id}"
         ]
-        references.extend([Reference(url=url) for url in ref_urls])
+        references.extend([ReferenceV2(url=url) for url in ref_urls])
 
         return references
 
diff --git a/vulnerabilities/pipelines/v2_importers/postgresql_importer.py b/vulnerabilities/pipelines/v2_importers/postgresql_importer.py
@@ -19,7 +19,7 @@
 from vulnerabilities import severity_systems
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 
@@ -122,12 +122,12 @@ def to_advisories(self, data):
                 pass
 
             references = []
+            severities = []
             vector_link_tag = severity_score_col.find("a")
             for a_tag in ref_col.select("a"):
                 link = a_tag.attrs["href"]
                 if link.startswith("/"):
                     link = urlparse.urljoin("https://www.postgresql.org/", link)
-                severities = []
                 if "support/security/CVE" in link and vector_link_tag:
                     parsed_link = urlparse.urlparse(vector_link_tag["href"])
                     cvss3_vector = urlparse.parse_qs(parsed_link.query).get("vector", [""])[0]
@@ -139,7 +139,7 @@ def to_advisories(self, data):
                             scoring_elements=cvss3_vector,
                         )
                     )
-                references.append(Reference(url=link, severities=severities))
+                references.append(ReferenceV2(url=link))
 
             if cve_id:
                 advisories.append(
@@ -148,6 +148,7 @@ def to_advisories(self, data):
                         aliases=[],
                         summary=summary,
                         references_v2=references,
+                        severities=severities,
                         affected_packages=affected_packages,
                         url=f"https://www.postgresql.org/support/security/{cve_id}",
                     )
diff --git a/vulnerabilities/pipelines/v2_importers/vulnrichment_importer.py b/vulnerabilities/pipelines/v2_importers/vulnrichment_importer.py
@@ -8,7 +8,7 @@
 from fetchcode.vcs import fetch_via_vcs
 
 from vulnerabilities.importer import AdvisoryData
-from vulnerabilities.importer import Reference
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.models import VulnerabilityReference
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
@@ -151,7 +151,7 @@ def parse_cve_advisory(self, raw_data, advisory_url):
                     ref_type = vul_ref_types.get(tag_type)
 
             url = ref.get("url")
-            reference = Reference(
+            reference = ReferenceV2(
                 reference_id=get_reference_id(url),
                 url=url,
                 reference_type=ref_type,
@@ -160,7 +160,7 @@ def parse_cve_advisory(self, raw_data, advisory_url):
             references.append(reference)
 
         cpes_ref = [
-            Reference(
+            ReferenceV2(
                 reference_id=cpe,
                 reference_type=VulnerabilityReference.OTHER,
                 url=f"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query={cpe}",
diff --git a/vulnerabilities/tests/pipelines/test_postgresql_v2_importer.py b/vulnerabilities/tests/pipelines/test_postgresql_v2_importer.py
@@ -148,7 +148,7 @@ def test_cvss_parsing(mock_get, importer):
     assert len(advisories) == 1
     reference = advisories[0].references_v2[0]
 
-    severity = reference.severities[0]
+    severity = advisories[0].severities[0]
     assert severity.system.identifier == "cvssv3"
     assert severity.value == "9.8"
     assert "AV:N/AC:L/PR:N/UI:N" in severity.scoring_elements

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@`
`21`	`21`
`22`	`22`	`from vulnerabilities.importer import AdvisoryData`
`23`	`23`	`from vulnerabilities.importer import AffectedPackage`
`24`		`-from vulnerabilities.importer import Reference`
	`24`	`+from vulnerabilities.importer import ReferenceV2`
`25`	`25`	`from vulnerabilities.importer import VulnerabilitySeverity`
`26`	`26`	`from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2`
`27`	`27`	`from vulnerabilities.severity_systems import APACHE_HTTPD`
`@@ -260,7 +260,7 @@ def to_advisory(self, data):`
`260`	`260`	`)`
`261`	`261`	`)`
`262`	`262`	`break`
`263`		`- reference = Reference(`
	`263`	`+ reference = ReferenceV2(`
`264`	`264`	`reference_id=alias,`
`265`	`265`	`url=urllib.parse.urljoin(self.base_url, f"{alias}.json"),`
`266`	`266`	`)`