Compute package risk from impacts

keshav-space · keshav-space · commit c7d6a31821b8 · 2025-07-29T18:19:12.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/vulnerabilities/api_v2.py b/vulnerabilities/api_v2.py
@@ -1172,7 +1172,6 @@ def bulk_search(self, request):
                     ),
                 )
                 .with_is_vulnerable()
-                .order_by("package_url")
             )
 
             packages = query
@@ -1206,7 +1205,8 @@ def bulk_search(self, request):
 
         query = (
             PackageV2.objects.filter(package_url__in=purls)
-            .distinct()
+            .order_by("plain_package_url")
+            .distinct("plain_package_url")
             .prefetch_related(
                 Prefetch(
                     "affected_in_impacts",
diff --git a/vulnerabilities/pipelines/v2_improvers/collect_commits.py b/vulnerabilities/pipelines/v2_improvers/collect_commits.py
@@ -61,9 +61,6 @@ def collect_and_store_fix_commits(self):
 
                 # Skip if already processed
                 if is_vcs_url_already_processed(commit_id=vcs_url):
-                    self.log(
-                        f"Skipping already processed reference: {reference.url} with VCS URL {vcs_url}"
-                    )
                     continue
                 # check if vcs_url has commit
                 for impact in adv.impacted_packages.all():
diff --git a/vulnerabilities/pipelines/v2_improvers/compute_package_risk.py b/vulnerabilities/pipelines/v2_improvers/compute_package_risk.py
@@ -34,17 +34,13 @@ def steps(cls):
 
     def compute_and_store_vulnerability_risk_score(self):
         affected_advisories = (
-            AdvisoryV2.objects.filter(affecting_packages__isnull=False)
-            .prefetch_related(
-                "references",
-                "severities",
-                "exploits",
-            )
+            AdvisoryV2.objects.filter(impacted_packages__affecting_packages__isnull=False)
+            .prefetch_related("references", "severities", "exploits")
             .distinct()
         )
 
         self.log(
-            f"Calculating risk for {affected_advisories.count():,d} vulnerability with a affected packages records"
+            f"Calculating risk for {affected_advisories.count():,d} advisory with a affected packages records"
         )
 
         progress = LoopProgress(total_iterations=affected_advisories.count(), logger=self.log)
@@ -53,7 +49,7 @@ def compute_and_store_vulnerability_risk_score(self):
         updated_vulnerability_count = 0
         batch_size = 5000
 
-        for advisory in progress.iter(affected_advisories.paginated(per_page=batch_size)):
+        for advisory in progress.iter(affected_advisories.iterator(chunk_size=batch_size)):
             severities = advisory.severities.all()
             references = advisory.references.all()
             exploits = advisory.exploits.all()
@@ -65,9 +61,6 @@ def compute_and_store_vulnerability_risk_score(self):
             )
             advisory.weighted_severity = weighted_severity
             advisory.exploitability = exploitability
-            print(
-                f"Computed risk for {advisory.advisory_id} with weighted_severity={weighted_severity} and exploitability={exploitability}"
-            )
             updatables.append(advisory)
 
             if len(updatables) >= batch_size:
@@ -90,9 +83,7 @@ def compute_and_store_vulnerability_risk_score(self):
         )
 
     def compute_and_store_package_risk_score(self):
-        affected_packages = (
-            PackageV2.objects.filter(affected_by_advisories__isnull=False)
-        ).distinct()
+        affected_packages = (PackageV2.objects.filter(affected_in_impacts__isnull=False)).distinct()
 
         self.log(f"Calculating risk for {affected_packages.count():,d} affected package records")
 
@@ -106,7 +97,7 @@ def compute_and_store_package_risk_score(self):
         updated_package_count = 0
         batch_size = 10000
 
-        for package in progress.iter(affected_packages.paginated(per_page=batch_size)):
+        for package in progress.iter(affected_packages.iterator(chunk_size=batch_size)):
             risk_score = compute_package_risk_v2(package)
 
             if not risk_score:
diff --git a/vulnerabilities/risk.py b/vulnerabilities/risk.py
@@ -122,8 +122,8 @@ def compute_package_risk_v2(package):
     and determining the associated risk.
     """
     result = []
-    for advisory in package.affected_by_advisories.all():
-        if risk := advisory.risk_score:
+    for impact in package.affected_in_impacts.all():
+        if risk := impact.advisory.risk_score:
             result.append(float(risk))
 
     if not result:
