Include PackageCommitPatch and Patch in AdvisoryV2 serialization

Fixes: #2116

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/importer.py

@@ -512,24 +512,30 @@ def from_dict(cls, affected_pkg: dict):
         fixed_version_range = None
         affected_range = affected_pkg["affected_version_range"]
         fixed_range = affected_pkg["fixed_version_range"]
-        introduced_by_commit_patches = (
-            affected_pkg.get("introduced_by_package_commit_patches") or []
-        )
-        fixed_by_commit_patches = affected_pkg.get("fixed_by_package_commit_patches") or []
+        introduced_by_commit_patches = affected_pkg.get("introduced_by_commit_patches") or []
+        fixed_by_commit_patches = affected_pkg.get("fixed_by_commit_patches") or []
 
         try:
-            affected_version_range = VersionRange.from_string(affected_range)
-            fixed_version_range = VersionRange.from_string(fixed_range)
+            affected_version_range = (
+                VersionRange.from_string(affected_range) if affected_range else None
+            )
+            fixed_version_range = VersionRange.from_string(fixed_range) if fixed_range else None
         except:
             tb = traceback.format_exc()
             logger.error(
                 f"Cannot create AffectedPackage with invalid or unknown range: {affected_pkg!r} with error: {tb!r}"
             )
             return
 
-        if not fixed_version_range and not affected_version_range:
+        if (
+            not fixed_version_range
+            and not affected_version_range
+            and not introduced_by_commit_patches
+            and not fixed_by_commit_patches
+        ):
             logger.error(
-                f"Cannot create AffectedPackage without fixed or affected range: {affected_pkg!r}"
+                f"Cannot create an AffectedPackage for: {affected_pkg!r}, at least one of the following must be provided: "
+                "a fixed version range, an affected version range, introduced commit patches, or fixed commit patches"
             )
             return
 

vulnerabilities/models.py

@@ -2796,6 +2796,19 @@ class Meta:
             )
         ]
 
+    def to_dict(self):
+        return {
+            "patch_url": self.patch_url,
+            "patch_text": self.patch_text,
+            "patch_checksum": self.patch_checksum,
+        }
+
+    def to_patch_data(self):
+        """Return `PatchData` from the Patch."""
+        from vulnerabilities.importer import PatchData
+
+        return PatchData.from_dict(self.to_dict())
+
 
 class PackageCommitPatch(models.Model):
     """
@@ -2823,6 +2836,14 @@ def save(self, *args, **kwargs):
     class Meta:
         unique_together = ["commit_hash", "vcs_url"]
 
+    def to_dict(self):
+        return {
+            "vcs_url": self.vcs_url,
+            "commit_hash": self.commit_hash,
+            "patch_text": self.patch_text,
+            "patch_checksum": self.patch_checksum,
+        }
+
 
 class AdvisoryV2QuerySet(BaseQuerySet):
     def latest_for_avid(self, avid: str):
@@ -3016,6 +3037,7 @@ def to_advisory_data(self) -> "AdvisoryData":
                 impacted.to_affected_package_data() for impacted in self.impacted_packages.all()
             ],
             references_v2=[ref.to_reference_v2_data() for ref in self.references.all()],
+            patches=[patch.to_patch_data() for patch in self.patches.all()],
             date_published=self.date_published,
             weaknesses=[weak.cwe_id for weak in self.weaknesses.all()],
             severities=[sev.to_vulnerability_severity_data() for sev in self.severities.all()],
@@ -3099,6 +3121,12 @@ def to_dict(self):
             "package": purl_to_dict(self.base_purl),
             "affected_version_range": self.affecting_vers,
             "fixed_version_range": self.fixed_vers,
+            "introduced_by_commit_patches": [
+                commit.to_dict() for commit in self.introduced_by_package_commit_patches.all()
+            ],
+            "fixed_by_commit_patches": [
+                commit.to_dict() for commit in self.fixed_by_package_commit_patches.all()
+            ],
         }
 
     def to_affected_package_data(self):