Merge branch 'main' into add-clean-downloads

Author: keshav-space

CHANGELOG.rst

@@ -1,6 +1,11 @@
 Release notes
 =============
 
+Version v38.5.0
+---------------------
+
+- fix: Make package_url field unique for PackageV2
+
 Version v38.4.0
 ---------------------
 

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 38.4.0
+version = 38.5.0
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

vulnerabilities/importer.py

@@ -57,6 +57,16 @@ class VulnerabilitySeverity:
     published_at: Optional[datetime.datetime] = None
     url: Optional[str] = None
 
+    def __post_init__(self):
+        if not self.system:
+            raise ValueError("system is required for VulnerabilitySeverity")
+
+        if not isinstance(self.system, ScoringSystem):
+            raise TypeError(f"system must be a ScoringSystem, got {type(self.system)!r}")
+
+        if not isinstance(self.value, str):
+            self.value = str(self.value)
+
     def to_dict(self):
         data = {
             "system": self.system.identifier,
@@ -469,6 +479,42 @@ def __post_init__(self):
                 "an affected version range, introduced commit patches, or fixed commit patches."
             )
 
+        if self.affected_version_range is not None and not isinstance(
+            self.affected_version_range, VersionRange
+        ):
+            raise TypeError(
+                f"affected_version_range must be VersionRange or None, got {type(self.affected_version_range)!r}"
+            )
+
+        if self.fixed_version_range is not None and not isinstance(
+            self.fixed_version_range, VersionRange
+        ):
+            raise TypeError(
+                f"fixed_version_range must be VersionRange or None, got {type(self.fixed_version_range)!r}"
+            )
+
+        if not isinstance(self.introduced_by_commit_patches, list):
+            raise TypeError(
+                f"introduced_by_commit_patches must be a list, got {type(self.introduced_by_commit_patches)!r}"
+            )
+
+        if not isinstance(self.fixed_by_commit_patches, list):
+            raise TypeError(
+                f"fixed_by_commit_patches must be a list, got {type(self.fixed_by_commit_patches)!r}"
+            )
+
+        for item in self.introduced_by_commit_patches:
+            if not isinstance(item, PackageCommitPatchData):
+                raise TypeError(
+                    f"introduced_by_commit_patches items must be PackageCommitPatchData, got {type(item)!r}"
+                )
+
+        for item in self.fixed_by_commit_patches:
+            if not isinstance(item, PackageCommitPatchData):
+                raise TypeError(
+                    f"fixed_by_commit_patches items must be PackageCommitPatchData, got {type(item)!r}"
+                )
+
     def __lt__(self, other):
         if not isinstance(other, AffectedPackageV2):
             return NotImplemented
@@ -648,6 +694,7 @@ def to_dict(self):
     def from_dict(cls, advisory_data):
         date_published = advisory_data["date_published"]
         transformed = {
+            "advisory_id": advisory_data["advisory_id"],
             "aliases": advisory_data["aliases"],
             "summary": advisory_data["summary"],
             "affected_packages": [

vulnerabilities/migrations/0122_auto_20260415_1155.py

@@ -0,0 +1,36 @@
+from django.db import migrations
+from django.db.models import F, Window
+from django.db.models.functions import RowNumber
+
+
+def remove_duplicate_package_urls(apps, schema_editor):
+    PackageV2 = apps.get_model("vulnerabilities", "PackageV2")
+
+    duplicates = (
+        PackageV2.objects
+        .annotate(
+            rn=Window(
+                expression=RowNumber(),
+                partition_by=[F("package_url")],
+                order_by=F("id").desc(),
+            )
+        )
+        .filter(rn__gt=1)
+    )
+
+    BATCH_SIZE = 1000
+    ids = list(duplicates.values_list("id", flat=True))
+
+    for i in range(0, len(ids), BATCH_SIZE):
+        PackageV2.objects.filter(id__in=ids[i:i+BATCH_SIZE]).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0121_advisoryv2_is_latest_alter_advisoryv2_advisory_id_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_duplicate_package_urls, migrations.RunPython.noop),
+    ]

vulnerabilities/migrations/0123_alter_packagev2_options_alter_packagev2_package_url_and_more.py

@@ -0,0 +1,60 @@
+# Generated by Django 5.2.11 on 2026-04-15 11:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0122_auto_20260415_1155"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="packagev2",
+            options={
+                "ordering": [
+                    "type",
+                    "namespace",
+                    "name",
+                    "version_rank",
+                    "version",
+                    "qualifiers",
+                    "subpath",
+                ]
+            },
+        ),
+        migrations.AlterField(
+            model_name="packagev2",
+            name="package_url",
+            field=models.CharField(
+                db_index=True,
+                help_text="The Package URL for this package.",
+                max_length=1000,
+                unique=True,
+            ),
+        ),
+        migrations.AlterUniqueTogether(
+            name="packagev2",
+            unique_together={("type", "namespace", "name", "version", "qualifiers", "subpath")},
+        ),
+        migrations.AddIndex(
+            model_name="packagev2",
+            index=models.Index(
+                fields=["type", "namespace", "name"], name="vulnerabili_type_ca0efc_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="packagev2",
+            index=models.Index(
+                fields=["type", "namespace", "name", "qualifiers", "subpath"],
+                name="vulnerabili_type_c98c98_idx",
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="packagev2",
+            index=models.Index(
+                fields=["type", "namespace", "name", "version"], name="vulnerabili_type_1af1cc_idx"
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -3477,7 +3477,8 @@ def from_purl(self, purl: Union[PackageURL, str]):
         """
         Return a new Package given a ``purl`` PackageURL object or PURL string.
         """
-        return PackageV2.objects.create(**purl_to_dict(purl=purl))
+        package, _ = PackageV2.objects.get_or_create(**purl_to_dict(purl=purl))
+        return package
 
 
 class PackageV2(PackageURLMixin):
@@ -3490,6 +3491,7 @@ class PackageV2(PackageURLMixin):
         null=False,
         help_text="The Package URL for this package.",
         db_index=True,
+        unique=True,
     )
 
     plain_package_url = models.CharField(
@@ -3520,6 +3522,24 @@ class PackageV2(PackageURLMixin):
         db_index=True,
     )
 
+    class Meta:
+        unique_together = ["type", "namespace", "name", "version", "qualifiers", "subpath"]
+        ordering = ["type", "namespace", "name", "version_rank", "version", "qualifiers", "subpath"]
+        indexes = [
+            # Index for getting al versions of a package
+            models.Index(fields=["type", "namespace", "name"]),
+            models.Index(fields=["type", "namespace", "name", "qualifiers", "subpath"]),
+            # Index for getting a specific version of a package
+            models.Index(
+                fields=[
+                    "type",
+                    "namespace",
+                    "name",
+                    "version",
+                ]
+            ),
+        ]
+
     def __str__(self):
         return self.package_url
 

vulnerabilities/tests/pipelines/test_compute_advisory_todo_v2.py

@@ -11,6 +11,7 @@
 
 from django.test import TestCase
 from packageurl import PackageURL
+from univers.version_range import VersionRange
 
 from vulnerabilities.importer import AdvisoryDataV2
 from vulnerabilities.importer import AffectedPackageV2
@@ -30,8 +31,8 @@ def setUp(self):
             affected_packages=[
                 AffectedPackageV2(
                     package=PackageURL(type="npm", name="package1"),
-                    affected_version_range="vers:npm/>=1.0.0|<2.0.0",
-                    fixed_version_range="vers:npm/2.0.0",
+                    affected_version_range=VersionRange.from_string("vers:npm/>=1.0.0|<2.0.0"),
+                    fixed_version_range=VersionRange.from_string("vers:npm/2.0.0"),
                 )
             ],
             references=[ReferenceV2(url="https://example.com/vuln1")],
@@ -44,7 +45,7 @@ def setUp(self):
             affected_packages=[
                 AffectedPackageV2(
                     package=PackageURL(type="npm", name="package1"),
-                    affected_version_range="vers:npm/>=1.0.0|<2.0.0",
+                    affected_version_range=VersionRange.from_string("vers:npm/>=1.0.0|<2.0.0"),
                 )
             ],
             references=[ReferenceV2(url="https://example.com/vuln1")],
@@ -57,7 +58,7 @@ def setUp(self):
             affected_packages=[
                 AffectedPackageV2(
                     package=PackageURL(type="npm", name="package1"),
-                    fixed_version_range="vers:npm/2.0.0",
+                    fixed_version_range=VersionRange.from_string("vers:npm/2.0.0"),
                 )
             ],
             references=[ReferenceV2(url="https://example.com/vuln1")],
@@ -70,8 +71,8 @@ def setUp(self):
             affected_packages=[
                 AffectedPackageV2(
                     package=PackageURL(type="npm", name="package1"),
-                    affected_version_range="vers:npm/>=1.0.0|<=2.0.0",
-                    fixed_version_range="vers:npm/2.0.1",
+                    affected_version_range=VersionRange.from_string("vers:npm/>=1.0.0|<=2.0.0"),
+                    fixed_version_range=VersionRange.from_string("vers:npm/2.0.1"),
                 )
             ],
             references=[ReferenceV2(url="https://example.com/vuln1")],

vulnerabilities/tests/pipelines/v2_importers/test_vulnrichment_importer_v2.py

@@ -196,7 +196,7 @@ def test_parse_cve_advisory(mock_pathlib, mock_vcs_response, mock_fetch_via_vcs)
     assert advisory.summary == "Sample PyPI vulnerability"
     assert advisory.url == advisory_url
     assert len(advisory.severities) == 1
-    assert advisory.severities[0].value == 5.3
+    assert advisory.severities[0].value == "5.3"
 
 
 def test_collect_advisories_with_invalid_json(mock_pathlib, mock_vcs_response, mock_fetch_via_vcs):

vulnerabilities/tests/test_utils.py

@@ -254,3 +254,10 @@ def test_content_id_from_adv_data_and_adv_model_are_same(self):
         id_from_model = utils.compute_content_id_v2(advisory_model)
 
         self.assertEqual(id_from_data, id_from_model)
+
+    def test_content_id_from_adv_data_roundtrip_are_same(self):
+        id_from_data = utils.compute_content_id_v2(self.advisory1)
+        adv_roundtrip = AdvisoryDataV2.from_dict(self.advisory1.to_dict())
+        id_from_roundtrip = utils.compute_content_id_v2(adv_roundtrip)
+
+        self.assertEqual(id_from_data, id_from_roundtrip)

vulnerablecode/__init__.py

@@ -14,7 +14,7 @@
 
 import git
 
-__version__ = "38.4.0"
+__version__ = "38.5.0"
 
 
 PROJECT_DIR = Path(__file__).resolve().parent