From 7369247dc8ab69e3d1c5787cb7fb6f039da56f72 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Mon, 13 Apr 2026 19:15:08 +0400
Subject: [PATCH 1/5] Migrate VulnerableCode integration to API v3

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 scanpipe/pipes/vulnerablecode.py              |   98 +-
 .../scanpipe/includes/vulnerability_id.html   |   22 +-
 .../scanpipe/tabset/tab_vulnerabilities.html  |   12 +
 .../django-5.0_package_data.json              | 1079 ++++++-----------
 scanpipe/tests/pipes/test_vulnerablecode.py   |   15 +-
 scanpipe/tests/test_pipelines.py              |    7 +-
 6 files changed, 436 insertions(+), 797 deletions(-)

diff --git a/scanpipe/pipes/vulnerablecode.py b/scanpipe/pipes/vulnerablecode.py
index 061c8e2028..06fbe5a644 100644
--- a/scanpipe/pipes/vulnerablecode.py
+++ b/scanpipe/pipes/vulnerablecode.py
@@ -35,7 +35,7 @@
 VULNERABLECODE_API_URL = None
 VULNERABLECODE_URL = settings.VULNERABLECODE_URL
 if VULNERABLECODE_URL:
-    VULNERABLECODE_API_URL = f"{VULNERABLECODE_URL}/api/"
+    VULNERABLECODE_API_URL = f"{VULNERABLECODE_URL.rstrip('/')}/api/v3"
 
 # Basic Authentication
 VULNERABLECODE_USER = settings.VULNERABLECODE_USER
@@ -63,7 +63,7 @@ def is_available():
         return False
 
     try:
-        response = session.head(VULNERABLECODE_API_URL)
+        response = session.head(VULNERABLECODE_API_URL, allow_redirects=True)
         response.raise_for_status()
     except requests.exceptions.RequestException as request_exception:
         logger.debug(f"{label} is_available() error: {request_exception}")
@@ -91,28 +91,6 @@ def get_purls(packages):
     return [package_url for package in packages if (package_url := package.package_url)]
 
 
-def request_get(
-    url,
-    payload=None,
-    timeout=None,
-):
-    """Send a GET request to `url` with optional `payload` and return the response."""
-    if not url:
-        return
-
-    params = {"format": "json"}
-    if payload:
-        params.update(payload)
-
-    logger.debug(f"{label}: url={url} params={params}")
-    try:
-        response = session.get(url, params=params, timeout=timeout)
-        response.raise_for_status()
-        return response.json()
-    except (requests.RequestException, ValueError, TypeError) as exception:
-        logger.debug(f"{label} [Exception] {exception}")
-
-
 def request_post(
     url,
     data,
@@ -127,88 +105,29 @@ def request_post(
         logger.debug(f"{label} [Exception] {exception}")
 
 
-def _get_vulnerabilities(
-    url,
-    field_name,
-    field_value,
-    timeout=None,
-):
-    """Get the list of vulnerabilities."""
-    payload = {field_name: field_value}
-
-    response = request_get(url=url, payload=payload, timeout=timeout)
-    if response and response.get("count"):
-        results = response["results"]
-        return results
-
-
-def get_vulnerabilities_by_purl(
-    purl,
-    timeout=None,
-    api_url=VULNERABLECODE_API_URL,
-):
-    """Get the list of vulnerabilities providing a package `purl`."""
-    return _get_vulnerabilities(
-        url=f"{api_url}packages/",
-        field_name="purl",
-        field_value=purl,
-        timeout=timeout,
-    )
-
-
-def get_vulnerabilities_by_cpe(
-    cpe,
-    timeout=None,
-    api_url=VULNERABLECODE_API_URL,
-):
-    """Get the list of vulnerabilities providing a package or component `cpe`."""
-    return _get_vulnerabilities(
-        url=f"{api_url}cpes/",
-        field_name="cpe",
-        field_value=cpe,
-        timeout=timeout,
-    )
-
-
 def bulk_search_by_purl(
     purls,
     timeout=None,
     api_url=VULNERABLECODE_API_URL,
 ):
     """Bulk search of vulnerabilities using the provided list of `purls`."""
-    url = f"{api_url}packages/bulk_search"
+    url = f"{api_url.rstrip('/')}/packages"
 
     data = {
         "purls": purls,
-        "vulnerabilities_only": True,
+        "details": True,
     }
 
     logger.debug(f"VulnerableCode: url={url} purls_count={len(purls)}")
     return request_post(url, data, timeout)
 
 
-def bulk_search_by_cpes(
-    cpes,
-    timeout=None,
-    api_url=VULNERABLECODE_API_URL,
-):
-    """Bulk search of vulnerabilities using the provided list of `cpes`."""
-    url = f"{api_url}cpes/bulk_search"
-
-    data = {
-        "cpes": cpes,
-    }
-
-    logger.debug(f"VulnerableCode: url={url} cpes_count={len(cpes)}")
-    return request_post(url, data, timeout)
-
-
 def filter_vulnerabilities(vulnerabilities, ignore_set):
     """Filter out vulnerabilities based on a list of ignored IDs and aliases."""
     return [
         vulnerability
         for vulnerability in vulnerabilities
-        if vulnerability.get("vulnerability_id") not in ignore_set
+        if vulnerability.get("advisory_id") not in ignore_set
         and not any(alias in ignore_set for alias in vulnerability.get("aliases", []))
     ]
 
@@ -223,9 +142,12 @@ def fetch_vulnerabilities(
     vulnerabilities_by_purl = {}
 
     for purls_batch in chunked(get_purls(packages), chunk_size):
+        # Add support for pagination
+        #  {'count': 17, 'next': None, 'previous': None, 'results': [....]
         response_data = bulk_search_by_purl(purls_batch)
-        for vulnerability_data in response_data:
-            vulnerabilities_by_purl[vulnerability_data["purl"]] = vulnerability_data
+        for vulnerability_data in response_data["results"]:
+            purl = vulnerability_data["purl"]
+            vulnerabilities_by_purl[purl] = vulnerability_data
 
     unsaved_objects = []
     for package in packages:
diff --git a/scanpipe/templates/scanpipe/includes/vulnerability_id.html b/scanpipe/templates/scanpipe/includes/vulnerability_id.html
index 51b3b18163..9d9e7d5d0b 100644
--- a/scanpipe/templates/scanpipe/includes/vulnerability_id.html
+++ b/scanpipe/templates/scanpipe/includes/vulnerability_id.html
@@ -1,14 +1,16 @@
-{% if vulnerability.vulnerability_id|slice:":4" == "VCID" and VULNERABLECODE_URL %}
-  <a href="{{ VULNERABLECODE_URL }}/vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
-    {{ vulnerability.vulnerability_id }}
-    <i class="fa-solid fa-up-right-from-square is-small"></i>
-  </a>
-{% else %}
-  {{ vulnerability.vulnerability_id }}
-{% endif %}
+<!--{% if vulnerability.vulnerability_id|slice:":4" == "VCID" and VULNERABLECODE_URL %}-->
+<!--  <a href="{{ VULNERABLECODE_URL }}/vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">-->
+<!--    {{ vulnerability.vulnerability_id }}-->
+<!--    <i class="fa-solid fa-up-right-from-square is-small"></i>-->
+<!--  </a>-->
+<!--{% else %}-->
+<!--  {{ vulnerability.vulnerability_id }}-->
+<!--{% endif %}-->
 
-<ul class="list-unstyled mb-0">
-  {% for alias in aliases %}
+{{ vulnerability.advisory_id }}
+
+<ul class="mb-0">
+  {% for alias in vulnerability.aliases %}
     <li>
       {% if alias|slice:":3" == "CVE" %}
         <a href="https://nvd.nist.gov/vuln/detail/{{ alias }}" target="_blank">{{ alias }}
diff --git a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
index e9d296b77d..43414a4a9e 100644
--- a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
+++ b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
@@ -4,6 +4,9 @@
       <tr>
         <th style="width: 220px;">Affected by</th>
         <th>Summary</th>
+        <th>Exploitability</th>
+        <th>Severity</th>
+        <th>Risk</th>
         <th>Analysis</th>
       </tr>
     </thead>
@@ -16,6 +19,15 @@
           <td>
             {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %}
           </td>
+          <td>
+            {{ vulnerability.exploitability }}
+          </td>
+          <td>
+            {{ vulnerability.weighted_severity }}
+          </td>
+          <td>
+            {{ vulnerability.risk_score|default_if_none:"" }}
+          </td>
           <td>
             {% for key, value in vulnerability.cdx_vulnerability.analysis.items %}
               <strong>{{ key }}:</strong> {{ value }}{% if not forloop.last %}<br>{% endif %}
diff --git a/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json b/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json
index f2ccc21900..1a72726f02 100644
--- a/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json
+++ b/scanpipe/tests/data/vulnerablecode/django-5.0_package_data.json
@@ -1,696 +1,395 @@
 {
-    "url": "http://vulnerablecode/api/packages/807568",
-    "purl": "pkg:pypi/django@5.0",
-    "type": "pypi",
-    "namespace": "",
-    "name": "django",
-    "version": "5.0",
-    "qualifiers": {},
-    "subpath": "",
-    "next_non_vulnerable_version": "5.0.3",
-    "latest_non_vulnerable_version": "5.0.3",
-    "affected_by_vulnerabilities": [
+    "count": 1,
+    "next": null,
+    "previous": null,
+    "results": [
         {
-            "url": "http://vulnerablecode/api/vulnerabilities/516832",
-            "vulnerability_id": "VCID-3gge-bre2-aaac",
-            "summary": "",
-            "references": [
-                {
-                    "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "7.5",
-                            "scoring_system": "cvssv3",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        }
-                    ],
-                    "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json"
-                },
-                {
-                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680"
-                },
-                {
-                    "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://docs.djangoproject.com/en/5.0/releases/security"
-                },
-                {
-                    "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://docs.djangoproject.com/en/5.0/releases/security/"
-                },
-                {
-                    "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "2.1",
-                            "scoring_system": "cvssv2",
-                            "scoring_elements": "AV:N/AC:H/Au:S/C:N/I:P/A:N"
-                        },
-                        {
-                            "value": "4.4",
-                            "scoring_system": "cvssv3",
-                            "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"
-                        },
-                        {
-                            "value": "4.7",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
-                        }
-                    ],
-                    "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"
-                },
-                {
-                    "reference_url": "https://github.com/django/django",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "7.5",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "HIGH",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820"
-                },
-                {
-                    "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml"
-                },
-                {
-                    "reference_url": "https://groups.google.com/forum/#%21forum/django-announce",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://groups.google.com/forum/#%21forum/django-announce"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
-                },
-                {
-                    "reference_url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases"
-                },
-                {
-                    "reference_url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"
-                },
-                {
-                    "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261856",
-                    "reference_id": "2261856",
-                    "scores": [],
-                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2261856"
-                },
-                {
-                    "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
-                    "reference_id": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
-                    "scores": [],
-                    "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
-                },
-                {
-                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680",
-                    "reference_id": "CVE-2024-24680",
-                    "scores": [
-                        {
-                            "value": "7.5",
-                            "scoring_system": "cvssv3",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        }
-                    ],
-                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680"
-                },
-                {
-                    "reference_url": "https://github.com/advisories/GHSA-xxj9-f6rv-m3x4",
-                    "reference_id": "GHSA-xxj9-f6rv-m3x4",
-                    "scores": [
-                        {
-                            "value": "MODERATE",
-                            "scoring_system": "cvssv3.1_qr",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/advisories/GHSA-xxj9-f6rv-m3x4"
-                },
-                {
-                    "reference_url": "https://access.redhat.com/errata/RHSA-2024:1057",
-                    "reference_id": "RHSA-2024:1057",
-                    "scores": [],
-                    "url": "https://access.redhat.com/errata/RHSA-2024:1057"
-                },
-                {
-                    "reference_url": "https://access.redhat.com/errata/RHSA-2024:1878",
-                    "reference_id": "RHSA-2024:1878",
-                    "scores": [],
-                    "url": "https://access.redhat.com/errata/RHSA-2024:1878"
-                },
-                {
-                    "reference_url": "https://access.redhat.com/errata/RHSA-2024:2731",
-                    "reference_id": "RHSA-2024:2731",
-                    "scores": [],
-                    "url": "https://access.redhat.com/errata/RHSA-2024:2731"
-                },
-                {
-                    "reference_url": "https://usn.ubuntu.com/6623-1/",
-                    "reference_id": "USN-6623-1",
-                    "scores": [],
-                    "url": "https://usn.ubuntu.com/6623-1/"
+            "purl": "pkg:pypi/django@5.0",
+            "affected_by_vulnerabilities": [
+                {
+                    "advisory_id": "PYSEC-2024-28",
+                    "aliases": [
+                        "BIT-django-2024-24680",
+                        "CVE-2024-24680",
+                        "GHSA-xxj9-f6rv-m3x4"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@3.2.24",
+                        "pkg:pypi/django@4.2.10",
+                        "pkg:pypi/django@5.0.2"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-47",
+                    "aliases": [
+                        "BIT-django-2024-27351",
+                        "CVE-2024-27351",
+                        "GHSA-vm8q-m57g-pff3"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@3.2.25",
+                        "pkg:pypi/django@5.0.3",
+                        "pkg:pypi/django@4.2.11"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-56",
+                    "aliases": [
+                        "BIT-django-2024-38875",
+                        "CVE-2024-38875",
+                        "GHSA-qg2p-9jwr-mmqf"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.14",
+                        "pkg:pypi/django@5.0.7"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-57",
+                    "aliases": [
+                        "BIT-django-2024-39329",
+                        "CVE-2024-39329",
+                        "GHSA-x7q2-wr7g-xqmf"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.14",
+                        "pkg:pypi/django@5.0.7"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-58",
+                    "aliases": [
+                        "BIT-django-2024-39330",
+                        "CVE-2024-39330",
+                        "GHSA-9jmf-237g-qf46"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.14",
+                        "pkg:pypi/django@5.0.7"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-59",
+                    "aliases": [
+                        "BIT-django-2024-39614",
+                        "CVE-2024-39614",
+                        "GHSA-f6f8-9mx6-9mx2"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.14",
+                        "pkg:pypi/django@5.0.7"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-67",
+                    "aliases": [
+                        "BIT-django-2024-41989",
+                        "CVE-2024-41989",
+                        "GHSA-jh75-99hh-qvx9"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.0.8",
+                        "pkg:pypi/django@4.2.15"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-68",
+                    "aliases": [
+                        "BIT-django-2024-41990",
+                        "CVE-2024-41990",
+                        "GHSA-795c-9xpc-xw6g"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.0.8",
+                        "pkg:pypi/django@4.2.15"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-69",
+                    "aliases": [
+                        "BIT-django-2024-41991",
+                        "CVE-2024-41991",
+                        "GHSA-r836-hh6v-rg5g"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.0.8",
+                        "pkg:pypi/django@4.2.15"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-70",
+                    "aliases": [
+                        "BIT-django-2024-42005",
+                        "CVE-2024-42005",
+                        "GHSA-pv4p-cwwg-4rph"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.0.8",
+                        "pkg:pypi/django@4.2.15"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-102",
+                    "aliases": [
+                        "BIT-django-2024-45230",
+                        "CVE-2024-45230",
+                        "GHSA-5hgc-2vfp-mqvc"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.1.1",
+                        "pkg:pypi/django@4.2.16",
+                        "pkg:pypi/django@5.0.9"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2024-45231",
+                    "aliases": [
+                        "GHSA-rrqc-c2jx-6jgv"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django allows enumeration of user e-mail addresses\nAn issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.1.1",
+                        "pkg:pypi/django@4.2.16",
+                        "pkg:pypi/django@5.0.9"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2024-53907",
+                    "aliases": [
+                        "GHSA-8498-2h75-472j"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django denial-of-service in django.utils.html.strip_tags()\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.17",
+                        "pkg:pypi/django@5.1.4",
+                        "pkg:pypi/django@5.0.10"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2024-53908",
+                    "aliases": [
+                        "GHSA-m9g8-fxxm-xg86"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django SQL injection in HasKey(lhs, rhs) on Oracle\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.17",
+                        "pkg:pypi/django@5.1.4",
+                        "pkg:pypi/django@5.0.10"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2024-56374",
+                    "aliases": [
+                        "GHSA-qcgg-j2x8-h9g8"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django has a potential denial-of-service vulnerability in IPv6 validation\nAn issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions `clean_ipv6_address` and `is_valid_ipv6_address` are vulnerable, as is the `django.forms.GenericIPAddressField` form field. (The django.db.models.GenericIPAddressField model field is not affected.)",
+                    "fixed_by_packages": []
+                },
+                {
+                    "advisory_id": "PYSEC-2025-13",
+                    "aliases": [
+                        "BIT-django-2025-26699",
+                        "CVE-2025-26699",
+                        "GHSA-p3fp-8748-vqfq"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.1.7",
+                        "pkg:pypi/django@4.2.20",
+                        "pkg:pypi/django@5.0.13"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2025-14",
+                    "aliases": [
+                        "BIT-django-2025-27556",
+                        "CVE-2025-27556",
+                        "GHSA-wqfg-m96j-85vm"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.0.14",
+                        "pkg:pypi/django@5.1.8"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2025-48432",
+                    "aliases": [
+                        "GHSA-7xr5-9hcq-chf9"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django Improper Output Neutralization for Logs vulnerability\nAn issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.22",
+                        "pkg:pypi/django@5.2.2",
+                        "pkg:pypi/django@5.1.10"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2025-57833",
+                    "aliases": [
+                        "GHSA-6w2r-r2m5-xq5w"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django is subject to SQL injection through its column aliases\nAn issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.24",
+                        "pkg:pypi/django@5.1.12",
+                        "pkg:pypi/django@5.2.6"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2025-64458",
+                    "aliases": [
+                        "GHSA-qw25-v68c-qjf3"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows\nAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nNFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`  were subject to a potential  denial-of-service attack via certain inputs with a very large number of Unicode characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.1.14",
+                        "pkg:pypi/django@5.2.8",
+                        "pkg:pypi/django@4.2.26"
+                    ]
+                },
+                {
+                    "advisory_id": "CVE-2025-64459",
+                    "aliases": [
+                        "GHSA-frmv-pr5f-9mcr"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 2.0,
+                    "risk_score": null,
+                    "summary": "Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.\nAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@5.1.14",
+                        "pkg:pypi/django@5.2.8",
+                        "pkg:pypi/django@4.2.26"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-156",
+                    "aliases": [
+                        "BIT-django-2024-53907",
+                        "CVE-2024-53907",
+                        "GHSA-8498-2h75-472j"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.17",
+                        "pkg:pypi/django@5.1.4",
+                        "pkg:pypi/django@5.0.10"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2024-157",
+                    "aliases": [
+                        "BIT-django-2024-53908",
+                        "CVE-2024-53908",
+                        "GHSA-m9g8-fxxm-xg86"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.17",
+                        "pkg:pypi/django@5.1.4",
+                        "pkg:pypi/django@5.0.10"
+                    ]
+                },
+                {
+                    "advisory_id": "PYSEC-2025-1",
+                    "aliases": [
+                        "BIT-django-2024-56374",
+                        "CVE-2024-56374",
+                        "GHSA-qcgg-j2x8-h9g8"
+                    ],
+                    "weighted_severity": 0.0,
+                    "exploitability": 0.5,
+                    "risk_score": null,
+                    "summary": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)",
+                    "fixed_by_packages": [
+                        "pkg:pypi/django@4.2.18",
+                        "pkg:pypi/django@5.0.11",
+                        "pkg:pypi/django@5.1.5"
+                    ]
                 }
             ],
-            "fixed_packages": [
-                {
-                    "url": "http://vulnerablecode/api/packages/807572",
-                    "purl": "pkg:pypi/django@5.0.2",
-                    "is_vulnerable": true,
-                    "affected_by_vulnerabilities": [
-                        {
-                            "vulnerability": "VCID-q4q6-yfng-aaag"
-                        }
-                    ],
-                    "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0.2"
-                }
-            ],
-            "aliases": [
-                "BIT-django-2024-24680",
-                "CVE-2024-24680",
-                "GHSA-xxj9-f6rv-m3x4",
-                "PYSEC-2024-28"
-            ],
-            "resource_url": "http://vulnerablecode/vulnerabilities/VCID-3gge-bre2-aaac"
-        },
-        {
-            "url": "http://vulnerablecode/api/vulnerabilities/522941",
-            "vulnerability_id": "VCID-q4q6-yfng-aaag",
-            "summary": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.",
-            "references": [
-                {
-                    "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27351.json",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "7.5",
-                            "scoring_system": "cvssv3",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        }
-                    ],
-                    "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27351.json"
-                },
-                {
-                    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27351"
-                },
-                {
-                    "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://docs.djangoproject.com/en/5.0/releases/security"
-                },
-                {
-                    "reference_url": "https://docs.djangoproject.com/en/5.0/releases/security/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://docs.djangoproject.com/en/5.0/releases/security/"
-                },
-                {
-                    "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "2.1",
-                            "scoring_system": "cvssv2",
-                            "scoring_elements": "AV:N/AC:H/Au:S/C:N/I:P/A:N"
-                        },
-                        {
-                            "value": "4.4",
-                            "scoring_system": "cvssv3",
-                            "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"
-                        },
-                        {
-                            "value": "4.7",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
-                        }
-                    ],
-                    "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"
-                },
-                {
-                    "reference_url": "https://github.com/django/django",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "7.5",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "HIGH",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e"
-                },
-                {
-                    "reference_url": "https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a"
-                },
-                {
-                    "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yaml"
-                },
-                {
-                    "reference_url": "https://groups.google.com/forum/#%21forum/django-announce",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://groups.google.com/forum/#%21forum/django-announce"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
-                },
-                {
-                    "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
-                },
-                {
-                    "reference_url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases"
-                },
-                {
-                    "reference_url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/",
-                    "reference_id": "",
-                    "scores": [],
-                    "url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/"
-                },
-                {
-                    "reference_url": "http://www.openwall.com/lists/oss-security/2024/03/04/1",
-                    "reference_id": "",
-                    "scores": [
-                        {
-                            "value": "5.9",
-                            "scoring_system": "cvssv3.1",
-                            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-                        },
-                        {
-                            "value": "LOW",
-                            "scoring_system": "generic_textual",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
-                },
-                {
-                    "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266045",
-                    "reference_id": "2266045",
-                    "scores": [],
-                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266045"
-                },
-                {
-                    "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351",
-                    "reference_id": "CVE-2024-27351",
-                    "scores": [],
-                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27351"
-                },
-                {
-                    "reference_url": "https://github.com/advisories/GHSA-vm8q-m57g-pff3",
-                    "reference_id": "GHSA-vm8q-m57g-pff3",
-                    "scores": [
-                        {
-                            "value": "LOW",
-                            "scoring_system": "cvssv3.1_qr",
-                            "scoring_elements": ""
-                        }
-                    ],
-                    "url": "https://github.com/advisories/GHSA-vm8q-m57g-pff3"
-                },
-                {
-                    "reference_url": "https://access.redhat.com/errata/RHSA-2024:1878",
-                    "reference_id": "RHSA-2024:1878",
-                    "scores": [],
-                    "url": "https://access.redhat.com/errata/RHSA-2024:1878"
-                },
-                {
-                    "reference_url": "https://access.redhat.com/errata/RHSA-2024:3781",
-                    "reference_id": "RHSA-2024:3781",
-                    "scores": [],
-                    "url": "https://access.redhat.com/errata/RHSA-2024:3781"
-                },
-                {
-                    "reference_url": "https://usn.ubuntu.com/6674-1/",
-                    "reference_id": "USN-6674-1",
-                    "scores": [],
-                    "url": "https://usn.ubuntu.com/6674-1/"
-                },
-                {
-                    "reference_url": "https://usn.ubuntu.com/6674-2/",
-                    "reference_id": "USN-6674-2",
-                    "scores": [],
-                    "url": "https://usn.ubuntu.com/6674-2/"
-                }
-            ],
-            "fixed_packages": [
-                {
-                    "url": "http://vulnerablecode/api/packages/810988",
-                    "purl": "pkg:pypi/django@5.0.3",
-                    "is_vulnerable": false,
-                    "affected_by_vulnerabilities": [],
-                    "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0.3"
-                }
-            ],
-            "aliases": [
-                "CVE-2024-27351",
-                "GHSA-vm8q-m57g-pff3",
-                "PYSEC-2024-47"
-            ],
-            "resource_url": "http://vulnerablecode/vulnerabilities/VCID-q4q6-yfng-aaag"
+            "fixing_vulnerabilities": [],
+            "next_non_vulnerable_version": "5.1.15",
+            "latest_non_vulnerable_version": "6.0.4",
+            "risk_score": 10.0
         }
-    ],
-    "fixing_vulnerabilities": [],
-    "resource_url": "http://vulnerablecode/packages/pkg:pypi/django@5.0"
+    ]
 }
\ No newline at end of file
diff --git a/scanpipe/tests/pipes/test_vulnerablecode.py b/scanpipe/tests/pipes/test_vulnerablecode.py
index f33a68cdca..4406f3762c 100644
--- a/scanpipe/tests/pipes/test_vulnerablecode.py
+++ b/scanpipe/tests/pipes/test_vulnerablecode.py
@@ -46,14 +46,17 @@ def test_scanpipe_pipes_vulnerablecode_fetch_vulnerabilities(
         self, mock_search_by_purl
     ):
         django_5_0 = make_package(self.project1, "pkg:pypi/django@5.0")
-        data = self.data / "vulnerablecode/django-5.0_package_data.json"
-        package_data = json.loads(data.read_text())
-        mock_search_by_purl.return_value = [package_data]
+        # POST /api/v3/packages with data:
+        # {"purls": ["pkg:pypi/django@5.0"], "details": true}
+        data = self.data / "vulnerablecode" / "django-5.0_package_data.json"
+        response_json = json.loads(data.read_text())
+        mock_search_by_purl.return_value = response_json
         buffer = io.StringIO()
 
+        package_data = response_json.get("results")[0]
         fetch_vulnerabilities(packages=[django_5_0], logger=buffer.write)
         django_5_0.refresh_from_db()
-        self.assertEqual(2, len(package_data.get("affected_by_vulnerabilities")))
+        self.assertEqual(24, len(package_data.get("affected_by_vulnerabilities")))
         self.assertEqual(
             package_data.get("affected_by_vulnerabilities"),
             django_5_0.affected_by_vulnerabilities,
@@ -62,9 +65,9 @@ def test_scanpipe_pipes_vulnerablecode_fetch_vulnerabilities(
             "1 discovered packages updated with vulnerability data.", buffer.getvalue()
         )
 
-        fetch_vulnerabilities(packages=[django_5_0], ignore_set={"VCID-3gge-bre2-aaac"})
+        fetch_vulnerabilities(packages=[django_5_0], ignore_set={"PYSEC-2024-28"})
         django_5_0.refresh_from_db()
-        self.assertEqual(1, len(django_5_0.affected_by_vulnerabilities))
+        self.assertEqual(23, len(django_5_0.affected_by_vulnerabilities))
 
     def test_scanpipe_pipes_vulnerablecode_filter_vulnerabilities(self):
         data = self.data / "vulnerablecode/django-5.0_package_data.json"
diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py
index 7468bc4822..b088c398eb 100644
--- a/scanpipe/tests/test_pipelines.py
+++ b/scanpipe/tests/test_pipelines.py
@@ -1351,7 +1351,7 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration(
                 "purl": "pkg:deb/debian/adduser@3.118?arch=all",
                 "affected_by_vulnerabilities": [
                     {
-                        "vulnerability_id": "VCID-cah8-awtr-aaad",
+                        "advisory_id": "ID-1",
                         "summary": "An issue was discovered.",
                     },
                 ],
@@ -1360,13 +1360,14 @@ def test_scanpipe_find_vulnerabilities_pipeline_integration(
                 "purl": "pkg:deb/debian/adduser@3.118?qualifiers=1",
                 "affected_by_vulnerabilities": [
                     {
-                        "vulnerability_id": "VCID-cah8-awtr-aaad",
+                        "advisory_id": "ID-2",
                         "summary": "An issue was discovered.",
                     },
                 ],
             },
         ]
-        mock_bulk_search_by_purl.return_value = vulnerability_data
+        response_json = {"results": vulnerability_data}
+        mock_bulk_search_by_purl.return_value = response_json
 
         exitcode, out = pipeline.execute()
         self.assertEqual(0, exitcode, msg=out)

From 1899796e4b7cd175bcb3ac37a1629dbe224c8728 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Tue, 14 Apr 2026 10:34:37 +0400
Subject: [PATCH 2/5] Rename vulnerability_id to advisory_id

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 .../management/commands/check-compliance.py   |  4 +--
 scanpipe/models.py                            | 36 +++++++++----------
 scanpipe/pipes/cyclonedx.py                   |  2 +-
 scanpipe/pipes/output.py                      |  4 +--
 scanpipe/tests/pipes/test_cyclonedx.py        |  2 +-
 scanpipe/tests/pipes/test_vulnerablecode.py   |  4 +--
 scanpipe/tests/test_commands.py               |  2 +-
 scanpipe/tests/test_filters.py                |  4 +--
 scanpipe/tests/test_models.py                 | 26 +++++++-------
 scanpipe/tests/test_pipelines.py              |  2 +-
 scanpipe/tests/test_views.py                  |  8 ++---
 scanpipe/views.py                             |  2 +-
 12 files changed, 47 insertions(+), 49 deletions(-)

diff --git a/scanpipe/management/commands/check-compliance.py b/scanpipe/management/commands/check-compliance.py
index 0016177a01..84ada60341 100644
--- a/scanpipe/management/commands/check-compliance.py
+++ b/scanpipe/management/commands/check-compliance.py
@@ -110,8 +110,8 @@ def check_vulnerabilities(self):
         if self.verbosity > 0:
             if vulnerabilities_count:
                 self.stderr.write(f"{vulnerabilities_count} vulnerabilities found:")
-                for vulnerability_id, vulnerability_data in all_vulnerabilities.items():
-                    self.stderr.write(str(vulnerability_id))
+                for advisory_id, vulnerability_data in all_vulnerabilities.items():
+                    self.stderr.write(str(advisory_id))
                     for affected_obj in vulnerability_data.get("affects", []):
                         self.stderr.write(f" > {affected_obj}")
             else:
diff --git a/scanpipe/models.py b/scanpipe/models.py
index f941240dd9..8680205e2f 100644
--- a/scanpipe/models.py
+++ b/scanpipe/models.py
@@ -1573,7 +1573,7 @@ def vulnerabilities(self):
         """
         Return a dict of all vulnerabilities affecting this project.
 
-        Combines package and dependency vulnerabilities, keyed by vulnerability_id.
+        Combines package and dependency vulnerabilities, keyed by advisory_id.
         Each vulnerability includes an "affects" list of all affected packages
         and dependencies.
         """
@@ -1583,11 +1583,13 @@ def vulnerabilities(self):
 
         for queryset in querysets:
             vulnerabilities = queryset.get_vulnerabilities_dict()
-            for vcid, vuln_data in vulnerabilities.items():
-                if vcid in vulnerabilities_dict:
-                    vulnerabilities_dict[vcid]["affects"].extend(vuln_data["affects"])
+            for advisory_id, vuln_data in vulnerabilities.items():
+                if advisory_id in vulnerabilities_dict:
+                    vulnerabilities_dict[advisory_id]["affects"].extend(
+                        vuln_data["affects"]
+                    )
                 else:
-                    vulnerabilities_dict[vcid] = vuln_data
+                    vulnerabilities_dict[advisory_id] = vuln_data
 
         return vulnerabilities_dict
 
@@ -3361,24 +3363,22 @@ def get_vulnerabilities_list(self):
         queryset.
 
         Extracts and flattens the affected_by_vulnerabilities field from
-        all objects in the queryset. Removes duplicates based on vulnerability_id
+        all objects in the queryset. Removes duplicates based on advisory_id
         while preserving the first occurrence of each unique vulnerability.
         """
         vulnerabilities_lists = self.values_list(self.AFFECTED_BY_FIELD, flat=True)
         flatten_vulnerabilities = chain.from_iterable(vulnerabilities_lists)
 
-        # Deduplicate by vulnerability_id while preserving order
+        # Deduplicate by advisory_id while preserving order
         unique_vulnerabilities = {
-            vuln["vulnerability_id"]: vuln for vuln in flatten_vulnerabilities
+            vuln["advisory_id"]: vuln for vuln in flatten_vulnerabilities
         }
 
-        return sorted(
-            unique_vulnerabilities.values(), key=itemgetter("vulnerability_id")
-        )
+        return sorted(unique_vulnerabilities.values(), key=itemgetter("advisory_id"))
 
     def get_vulnerabilities_dict(self):
         """
-        Return a dict of vulnerabilities keyed by vulnerability_id.
+        Return a dict of vulnerabilities keyed by advisory_id.
 
         Each vulnerability includes an "affects" list containing all
         objects from this queryset affected by that vulnerability.
@@ -3386,7 +3386,7 @@ def get_vulnerabilities_dict(self):
         Returns:
             dict: {
                 'VCID-1': {
-                    'vulnerability_id': 'VCID-1',
+                    'advisory_id': 'VCID-1',
                     'affects': [obj1, obj2, ...]
                 },
                 ...
@@ -3397,13 +3397,13 @@ def get_vulnerabilities_dict(self):
 
         for obj in self.vulnerable_ordered():
             for vulnerability in obj.affected_by_vulnerabilities:
-                vcid = vulnerability.get("vulnerability_id")
-                if not vcid:
+                advisory_id = vulnerability.get("advisory_id")
+                if not advisory_id:
                     continue
 
-                if vcid not in vulnerabilities_dict:
-                    vulnerabilities_dict[vcid] = {**vulnerability, "affects": []}
-                vulnerabilities_dict[vcid]["affects"].append(obj)
+                if advisory_id not in vulnerabilities_dict:
+                    vulnerabilities_dict[advisory_id] = {**vulnerability, "affects": []}
+                vulnerabilities_dict[advisory_id]["affects"].append(obj)
 
         return vulnerabilities_dict
 
diff --git a/scanpipe/pipes/cyclonedx.py b/scanpipe/pipes/cyclonedx.py
index 00a59bd4e2..08b21ad55c 100644
--- a/scanpipe/pipes/cyclonedx.py
+++ b/scanpipe/pipes/cyclonedx.py
@@ -188,7 +188,7 @@ def cyclonedx_component_to_package_data(
             cdx_vulnerability_json = cdx_vulnerability.as_json(view_=BaseSchemaVersion)
             affected_by_vulnerabilities.append(
                 {
-                    "vulnerability_id": str(cdx_vulnerability.id),
+                    "advisory_id": str(cdx_vulnerability.id),
                     "summary": cdx_vulnerability.description,
                     "cdx_vulnerability_data": json.loads(cdx_vulnerability_json),
                 }
diff --git a/scanpipe/pipes/output.py b/scanpipe/pipes/output.py
index 03fc4ca51c..ce4fb9908a 100644
--- a/scanpipe/pipes/output.py
+++ b/scanpipe/pipes/output.py
@@ -579,7 +579,7 @@ def add_vulnerabilities_sheet(workbook, project):
     ]
 
     vulnerability_fields = [
-        "vulnerability_id",
+        "advisory_id",
         "aliases",
         "summary",
         "risk_score",
@@ -863,7 +863,7 @@ def vulnerability_as_cyclonedx(vulnerability_data, component_bom_ref):
     ]
 
     return cdx_vulnerability.Vulnerability(
-        id=vulnerability_data.get("vulnerability_id"),
+        id=vulnerability_data.get("advisory_id"),
         source=source,
         description=vulnerability_data.get("summary"),
         affects=affects,
diff --git a/scanpipe/tests/pipes/test_cyclonedx.py b/scanpipe/tests/pipes/test_cyclonedx.py
index 0ffaae395d..7ce5937121 100644
--- a/scanpipe/tests/pipes/test_cyclonedx.py
+++ b/scanpipe/tests/pipes/test_cyclonedx.py
@@ -250,7 +250,7 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self):
         self.assertEqual(1, len(packages))
 
         affected_by = packages[0]["affected_by_vulnerabilities"]
-        self.assertEqual("CVE-2005-2541", affected_by[0]["vulnerability_id"])
+        self.assertEqual("CVE-2005-2541", affected_by[0]["advisory_id"])
         self.assertEqual(
             "Tar 1.15.1 does not properly warn the user when...",
             affected_by[0]["summary"],
diff --git a/scanpipe/tests/pipes/test_vulnerablecode.py b/scanpipe/tests/pipes/test_vulnerablecode.py
index 4406f3762c..c42eb53228 100644
--- a/scanpipe/tests/pipes/test_vulnerablecode.py
+++ b/scanpipe/tests/pipes/test_vulnerablecode.py
@@ -76,8 +76,8 @@ def test_scanpipe_pipes_vulnerablecode_filter_vulnerabilities(self):
         self.assertEqual(2, len(vulnerability_data))
 
         vulnerability1 = vulnerability_data[0]
-        self.assertEqual("VCID-3gge-bre2-aaac", vulnerability1.get("vulnerability_id"))
-        ignore_set = {vulnerability1.get("vulnerability_id")}
+        self.assertEqual("VCID-3gge-bre2-aaac", vulnerability1.get("advisory_id"))
+        ignore_set = {vulnerability1.get("advisory_id")}
         self.assertEqual(1, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
 
         ignore_set = {vulnerability1.get("aliases")[0]}
diff --git a/scanpipe/tests/test_commands.py b/scanpipe/tests/test_commands.py
index e38619cd0c..cd416c6661 100644
--- a/scanpipe/tests/test_commands.py
+++ b/scanpipe/tests/test_commands.py
@@ -1390,7 +1390,7 @@ def test_scanpipe_management_command_check_compliance_vulnerabilities(self):
         out_value = out.getvalue().strip()
         self.assertEqual("No vulnerabilities found", out_value)
 
-        vulnerability_data = [{"vulnerability_id": "VCID-cah8-awtr-aaad"}]
+        vulnerability_data = [{"advisory_id": "VCID-cah8-awtr-aaad"}]
         package1.update(affected_by_vulnerabilities=vulnerability_data)
         make_dependency(
             project,
diff --git a/scanpipe/tests/test_filters.py b/scanpipe/tests/test_filters.py
index 7a8a098be7..7c8b4c4c21 100644
--- a/scanpipe/tests/test_filters.py
+++ b/scanpipe/tests/test_filters.py
@@ -194,9 +194,7 @@ def test_scanpipe_filters_params_for_search(self):
     def test_scanpipe_filters_package_filterset_is_vulnerable(self):
         p1 = DiscoveredPackage.create_from_data(self.project1, package_data1)
         p2 = DiscoveredPackage.create_from_data(self.project1, package_data2)
-        p2.update(
-            affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}]
-        )
+        p2.update(affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}])
 
         filterset = PackageFilterSet(data={"is_vulnerable": ""})
         self.assertEqual(2, len(filterset.qs))
diff --git a/scanpipe/tests/test_models.py b/scanpipe/tests/test_models.py
index 6c2252e55f..c5e32901d4 100644
--- a/scanpipe/tests/test_models.py
+++ b/scanpipe/tests/test_models.py
@@ -654,9 +654,9 @@ def test_scanpipe_project_related_model_clone(self):
         self.assertNotEqual(cloned_subscription.pk, subscription1.pk)
 
     def test_scanpipe_project_vulnerability_properties(self):
-        v1 = {"vulnerability_id": "VCID-1"}
-        v2 = {"vulnerability_id": "VCID-2"}
-        v3 = {"vulnerability_id": "VCID-3"}
+        v1 = {"advisory_id": "VCID-1"}
+        v2 = {"advisory_id": "VCID-2"}
+        v3 = {"advisory_id": "VCID-3"}
         project = make_project()
         make_package(project, "pkg:type/0")
         p1 = make_package(project, "pkg:type/a", affected_by_vulnerabilities=[v1, v2])
@@ -673,9 +673,9 @@ def test_scanpipe_project_vulnerability_properties(self):
         self.assertEqual([v1, v3], project.dependency_vulnerabilities)
 
         expected = {
-            "VCID-1": {"vulnerability_id": "VCID-1", "affects": [p1, d1]},
-            "VCID-2": {"vulnerability_id": "VCID-2", "affects": [p1]},
-            "VCID-3": {"vulnerability_id": "VCID-3", "affects": [p2, d2]},
+            "VCID-1": {"advisory_id": "VCID-1", "affects": [p1, d1]},
+            "VCID-2": {"advisory_id": "VCID-2", "affects": [p1]},
+            "VCID-3": {"advisory_id": "VCID-3", "affects": [p2, d2]},
         }
         self.assertEqual(expected, project.vulnerabilities)
         self.assertEqual(4, project.vulnerability_count)
@@ -2084,7 +2084,7 @@ def test_scanpipe_discovered_package_queryset_for_package_url(self):
     def test_scanpipe_discovered_package_queryset_vulnerable(self):
         p1 = DiscoveredPackage.create_from_data(self.project1, package_data1)
         p2 = DiscoveredPackage.create_from_data(self.project1, package_data2)
-        p2.update(affected_by_vulnerabilities=[{"vulnerability_id": "VCID-1"}])
+        p2.update(affected_by_vulnerabilities=[{"advisory_id": "VCID-1"}])
 
         package_qs = self.project1.discoveredpackages
         self.assertNotIn(p1, DiscoveredPackage.objects.vulnerable())
@@ -2093,21 +2093,21 @@ def test_scanpipe_discovered_package_queryset_vulnerable(self):
 
         p1.update(
             affected_by_vulnerabilities=[
-                {"vulnerability_id": "VCID-1"},
-                {"vulnerability_id": "VCID-2"},
+                {"advisory_id": "VCID-1"},
+                {"advisory_id": "VCID-2"},
             ]
         )
-        expected = [{"vulnerability_id": "VCID-1"}, {"vulnerability_id": "VCID-2"}]
+        expected = [{"advisory_id": "VCID-1"}, {"advisory_id": "VCID-2"}]
         with self.assertNumQueries(1):
             self.assertEqual(expected, package_qs.get_vulnerabilities_list())
 
         expected = {
             "VCID-1": {
-                "vulnerability_id": "VCID-1",
+                "advisory_id": "VCID-1",
                 "affects": [p1, p2],
             },
             "VCID-2": {
-                "vulnerability_id": "VCID-2",
+                "advisory_id": "VCID-2",
                 "affects": [p1],
             },
         }
@@ -2699,7 +2699,7 @@ def test_scanpipe_discovered_package_model_is_vulnerable_property(self):
         package = DiscoveredPackage.create_from_data(self.project1, package_data1)
         self.assertFalse(package.is_vulnerable)
         package.update(
-            affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}]
+            affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}]
         )
         self.assertTrue(package.is_vulnerable)
 
diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py
index b088c398eb..7ea6d8b2c0 100644
--- a/scanpipe/tests/test_pipelines.py
+++ b/scanpipe/tests/test_pipelines.py
@@ -1652,7 +1652,7 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self):
         affected_by = package.affected_by_vulnerabilities[0]
         cdx_vulnerability_data = affected_by.pop("cdx_vulnerability_data")
         expected = {
-            "vulnerability_id": "CVE-2005-2541",
+            "advisory_id": "CVE-2005-2541",
             "summary": "Tar 1.15.1 does not properly warn the user when...",
         }
         self.assertEqual(expected, affected_by)
diff --git a/scanpipe/tests/test_views.py b/scanpipe/tests/test_views.py
index 3664901648..9cef40d385 100644
--- a/scanpipe/tests/test_views.py
+++ b/scanpipe/tests/test_views.py
@@ -1200,7 +1200,7 @@ def test_scanpipe_views_discovered_package_details_view_tabset(self):
 
         package1.add_resources([make_resource_file(self.project1, "file1.ext")])
         package1.update(
-            affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}],
+            affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}],
             extra_data={"extra": "data"},
         )
         dependency_data = dependency_data1.copy()
@@ -1219,7 +1219,7 @@ def test_scanpipe_views_discovered_package_details_view_tabset(self):
     def test_scanpipe_views_discovered_package_details_view_tab_vulnerabilities(self):
         package1 = DiscoveredPackage.create_from_data(self.project1, package_data1)
         package1.update(
-            affected_by_vulnerabilities=[{"vulnerability_id": "VCID-cah8-awtr-aaad"}]
+            affected_by_vulnerabilities=[{"advisory_id": "VCID-cah8-awtr-aaad"}]
         )
         response = self.client.get(package1.get_absolute_url())
         self.assertContains(response, "tab-vulnerabilities")
@@ -1307,8 +1307,8 @@ def test_scanpipe_views_vulnerability_list_view(self):
             response = self.client.get(url)
         self.assertContains(response, "No Vulnerabilities found.")
 
-        v1 = {"vulnerability_id": "VCID-1"}
-        v2 = {"vulnerability_id": "VCID-2"}
+        v1 = {"advisory_id": "VCID-1"}
+        v2 = {"advisory_id": "VCID-2"}
         project = make_project()
         make_package(project, "pkg:type/a", affected_by_vulnerabilities=[v1])
         make_dependency(project, affected_by_vulnerabilities=[v2])
diff --git a/scanpipe/views.py b/scanpipe/views.py
index 4270a5be78..adaa7a5300 100644
--- a/scanpipe/views.py
+++ b/scanpipe/views.py
@@ -1965,7 +1965,7 @@ class VulnerabilityListView(
 ):
     template_name = "scanpipe/vulnerability_list.html"
     table_columns = [
-        "vulnerability_id",
+        "advisory_id",
         "summary",
         "affects",
     ]

From 4bb9e3835f335ced65498bcfe3b828df868962f5 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Tue, 14 Apr 2026 10:48:45 +0400
Subject: [PATCH 3/5] Refine the UI rendering for vulnerabilities

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 .../scanpipe/includes/vulnerability_id.html   |  9 ---
 .../scanpipe/tabset/tab_vulnerabilities.html  | 74 +++++++++----------
 .../scanpipe/vulnerability_list.html          |  9 +++
 scanpipe/views.py                             | 14 +++-
 4 files changed, 58 insertions(+), 48 deletions(-)

diff --git a/scanpipe/templates/scanpipe/includes/vulnerability_id.html b/scanpipe/templates/scanpipe/includes/vulnerability_id.html
index 9d9e7d5d0b..272397af2e 100644
--- a/scanpipe/templates/scanpipe/includes/vulnerability_id.html
+++ b/scanpipe/templates/scanpipe/includes/vulnerability_id.html
@@ -1,12 +1,3 @@
-<!--{% if vulnerability.vulnerability_id|slice:":4" == "VCID" and VULNERABLECODE_URL %}-->
-<!--  <a href="{{ VULNERABLECODE_URL }}/vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">-->
-<!--    {{ vulnerability.vulnerability_id }}-->
-<!--    <i class="fa-solid fa-up-right-from-square is-small"></i>-->
-<!--  </a>-->
-<!--{% else %}-->
-<!--  {{ vulnerability.vulnerability_id }}-->
-<!--{% endif %}-->
-
 {{ vulnerability.advisory_id }}
 
 <ul class="mb-0">
diff --git a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
index 43414a4a9e..b82639b653 100644
--- a/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
+++ b/scanpipe/templates/scanpipe/tabset/tab_vulnerabilities.html
@@ -1,40 +1,38 @@
-<div class="content">
-  <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
-    <thead>
+<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+  <thead>
+    <tr>
+      <th style="width: 220px;">Affected by</th>
+      <th>Summary</th>
+      <th>Exploitability</th>
+      <th>Severity</th>
+      <th>Risk</th>
+      <th>Analysis</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for vulnerability in tab_data.fields.affected_by_vulnerabilities.value %}
       <tr>
-        <th style="width: 220px;">Affected by</th>
-        <th>Summary</th>
-        <th>Exploitability</th>
-        <th>Severity</th>
-        <th>Risk</th>
-        <th>Analysis</th>
+        <td>
+          {% include 'scanpipe/includes/vulnerability_id.html' with vulnerability=vulnerability VULNERABLECODE_URL=tab_data.VULNERABLECODE_URL %}
+        </td>
+        <td>
+          {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %}
+        </td>
+        <td>
+          {{ vulnerability.exploitability|default_if_none:"" }}
+        </td>
+        <td>
+          {{ vulnerability.weighted_severity|default_if_none:"" }}
+        </td>
+        <td>
+          {{ vulnerability.risk_score|default_if_none:"" }}
+        </td>
+        <td>
+          {% for key, value in vulnerability.cdx_vulnerability.analysis.items %}
+            <strong>{{ key }}:</strong> {{ value }}{% if not forloop.last %}<br>{% endif %}
+          {% endfor %}
+        </td>
       </tr>
-    </thead>
-    <tbody>
-      {% for vulnerability in tab_data.fields.affected_by_vulnerabilities.value %}
-        <tr>
-          <td>
-            {% include 'scanpipe/includes/vulnerability_id.html' with vulnerability=vulnerability VULNERABLECODE_URL=tab_data.VULNERABLECODE_URL %}
-          </td>
-          <td>
-            {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %}
-          </td>
-          <td>
-            {{ vulnerability.exploitability }}
-          </td>
-          <td>
-            {{ vulnerability.weighted_severity }}
-          </td>
-          <td>
-            {{ vulnerability.risk_score|default_if_none:"" }}
-          </td>
-          <td>
-            {% for key, value in vulnerability.cdx_vulnerability.analysis.items %}
-              <strong>{{ key }}:</strong> {{ value }}{% if not forloop.last %}<br>{% endif %}
-            {% endfor %}
-          </td>
-        </tr>
-      {% endfor %}
-    </tbody>
-  </table>
-</div>
\ No newline at end of file
+    {% endfor %}
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/scanpipe/templates/scanpipe/vulnerability_list.html b/scanpipe/templates/scanpipe/vulnerability_list.html
index 6eb4ed4043..b9b94ad325 100644
--- a/scanpipe/templates/scanpipe/vulnerability_list.html
+++ b/scanpipe/templates/scanpipe/vulnerability_list.html
@@ -23,6 +23,15 @@
             <td>
               {% include 'scanpipe/includes/vulnerability_summary.html' with vulnerability=vulnerability only %}
             </td>
+            <td>
+              {{ vulnerability.exploitability|default_if_none:"" }}
+            </td>
+            <td>
+              {{ vulnerability.weighted_severity|default_if_none:"" }}
+            </td>
+            <td>
+              {{ vulnerability.risk_score|default_if_none:"" }}
+            </td>
             <td>
               {% for obj in vulnerability.affects %}
                 {{ obj }}<br>
diff --git a/scanpipe/views.py b/scanpipe/views.py
index adaa7a5300..997c4d952c 100644
--- a/scanpipe/views.py
+++ b/scanpipe/views.py
@@ -1965,8 +1965,20 @@ class VulnerabilityListView(
 ):
     template_name = "scanpipe/vulnerability_list.html"
     table_columns = [
-        "advisory_id",
+        {
+            "field_name": "advisory_id",
+            "label": "Advisory ID",
+        },
         "summary",
+        "exploitability",
+        {
+            "field_name": "weighted_severity",
+            "label": "Severity",
+        },
+        {
+            "field_name": "risk_score",
+            "label": "Risk",
+        },
         "affects",
     ]
 

From aea2e9d9bf07ef7e3afe7f5b637d117026c89e37 Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Tue, 14 Apr 2026 10:58:54 +0400
Subject: [PATCH 4/5] Fix some of the failing tests

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 .../data/cyclonedx/asgiref-3.3.0.cdx.json     | 65 +------------------
 .../django-4.0.10-vulnerability.json          | 58 +----------------
 .../data/cyclonedx/django-4.0.10_as_cdx.json  | 65 +------------------
 scanpipe/tests/pipes/test_vulnerablecode.py   | 15 ++---
 4 files changed, 11 insertions(+), 192 deletions(-)

diff --git a/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json b/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json
index e587c0f2e8..393f5accb5 100644
--- a/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json
+++ b/scanpipe/tests/data/cyclonedx/asgiref-3.3.0.cdx.json
@@ -157,70 +157,9 @@
       ],
       "description": "Django bypasses validation when using one form field to upload multiple files",
       "id": "VCID-589h-ndhj-aaab",
-      "ratings": [
-        {
-          "severity": "critical",
-          "source": {
-            "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
-          },
-          "vector": ""
-        },
-        {
-          "severity": "medium",
-          "source": {
-            "url": "https://groups.google.com/forum/#!forum/django-announce"
-          },
-          "vector": ""
-        },
-        {
-          "score": 6.5,
-          "source": {
-            "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json"
-          },
-          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
-        },
-        {
-          "score": 9.8,
-          "source": {
-            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
-          },
-          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-        }
-      ],
-      "references": [
-        {
-          "id": "",
-          "source": {
-            "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json"
-          }
-        },
-        {
-          "id": "",
-          "source": {
-            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047"
-          }
-        },
-        {
-          "id": "",
-          "source": {
-            "url": "https://groups.google.com/forum/#!forum/django-announce"
-          }
-        },
-        {
-          "id": "CVE-2023-31047",
-          "source": {
-            "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
-          }
-        },
-        {
-          "id": "GHSA-r3xc-prgr-mg9p",
-          "source": {
-            "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
-          }
-        }
-      ],
       "source": {
-        "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
+        "name": "VulnerableCode",
+        "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137"
       }
     }
   ]
diff --git a/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json b/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json
index 0748e85cf6..0f0511c9a9 100644
--- a/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json
+++ b/scanpipe/tests/data/cyclonedx/django-4.0.10-vulnerability.json
@@ -1,63 +1,7 @@
 {
   "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137",
-  "vulnerability_id": "VCID-589h-ndhj-aaab",
+  "advisory_id": "VCID-589h-ndhj-aaab",
   "summary": "Django bypasses validation when using one form field to upload multiple files",
-  "references": [
-    {
-      "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json",
-      "reference_id": "",
-      "scores": [
-        {
-          "value": "6.5",
-          "scoring_system": "cvssv3",
-          "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
-        }
-      ],
-      "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json"
-    },
-    {
-      "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047",
-      "reference_id": "",
-      "scores": [],
-      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047"
-    },
-    {
-      "reference_url": "https://groups.google.com/forum/#!forum/django-announce",
-      "reference_id": "",
-      "scores": [
-        {
-          "value": "Medium",
-          "scoring_system": "generic_textual",
-          "scoring_elements": ""
-        }
-      ],
-      "url": "https://groups.google.com/forum/#!forum/django-announce"
-    },
-    {
-      "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047",
-      "reference_id": "CVE-2023-31047",
-      "scores": [
-        {
-          "value": "9.8",
-          "scoring_system": "cvssv3",
-          "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-        }
-      ],
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
-    },
-    {
-      "reference_url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p",
-      "reference_id": "GHSA-r3xc-prgr-mg9p",
-      "scores": [
-        {
-          "value": "CRITICAL",
-          "scoring_system": "cvssv3.1_qr",
-          "scoring_elements": ""
-        }
-      ],
-      "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
-    }
-  ],
   "weaknesses": [
       {
           "cwe_id": 1,
diff --git a/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json b/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json
index c1c957144c..e328643733 100644
--- a/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json
+++ b/scanpipe/tests/data/cyclonedx/django-4.0.10_as_cdx.json
@@ -9,69 +9,8 @@
   ],
   "description": "Django bypasses validation when using one form field to upload multiple files",
   "id": "VCID-589h-ndhj-aaab",
-  "ratings": [
-    {
-      "severity": "critical",
-      "source": {
-        "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
-      },
-      "vector": ""
-    },
-    {
-      "severity": "medium",
-      "source": {
-        "url": "https://groups.google.com/forum/#!forum/django-announce"
-      },
-      "vector": ""
-    },
-    {
-      "score": 6.5,
-      "source": {
-        "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json"
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
-    },
-    {
-      "score": 9.8,
-      "source": {
-        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
-      },
-      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-    }
-  ],
-  "references": [
-    {
-      "id": "",
-      "source": {
-        "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-31047.json"
-      }
-    },
-    {
-      "id": "",
-      "source": {
-        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047"
-      }
-    },
-    {
-      "id": "",
-      "source": {
-        "url": "https://groups.google.com/forum/#!forum/django-announce"
-      }
-    },
-    {
-      "id": "CVE-2023-31047",
-      "source": {
-        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047"
-      }
-    },
-    {
-      "id": "GHSA-r3xc-prgr-mg9p",
-      "source": {
-        "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
-      }
-    }
-  ],
   "source": {
-    "url": "https://github.com/advisories/GHSA-r3xc-prgr-mg9p"
+    "name": "VulnerableCode",
+    "url": "http://public.vulnerablecode.io/api/vulnerabilities/457137"
   }
 }
\ No newline at end of file
diff --git a/scanpipe/tests/pipes/test_vulnerablecode.py b/scanpipe/tests/pipes/test_vulnerablecode.py
index c42eb53228..1797d4ab8e 100644
--- a/scanpipe/tests/pipes/test_vulnerablecode.py
+++ b/scanpipe/tests/pipes/test_vulnerablecode.py
@@ -71,21 +71,18 @@ def test_scanpipe_pipes_vulnerablecode_fetch_vulnerabilities(
 
     def test_scanpipe_pipes_vulnerablecode_filter_vulnerabilities(self):
         data = self.data / "vulnerablecode/django-5.0_package_data.json"
-        package_data = json.loads(data.read_text())
+        response_json = json.loads(data.read_text())
+        package_data = response_json.get("results")[0]
         vulnerability_data = package_data["affected_by_vulnerabilities"]
-        self.assertEqual(2, len(vulnerability_data))
+        self.assertEqual(24, len(vulnerability_data))
 
         vulnerability1 = vulnerability_data[0]
-        self.assertEqual("VCID-3gge-bre2-aaac", vulnerability1.get("advisory_id"))
+        self.assertEqual("PYSEC-2024-28", vulnerability1.get("advisory_id"))
         ignore_set = {vulnerability1.get("advisory_id")}
-        self.assertEqual(1, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
+        self.assertEqual(23, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
 
         ignore_set = {vulnerability1.get("aliases")[0]}
-        self.assertEqual(1, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
-
-        vulnerability2 = vulnerability_data[1]
-        ignore_set.add(vulnerability2.get("aliases")[1])
-        self.assertEqual([], filter_vulnerabilities(vulnerability_data, ignore_set))
+        self.assertEqual(23, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
 
     def test_scanpipe_pipes_vulnerablecode_chunked(self):
         result = list(chunked([1, 2, 3, 4, 5], 2))

From cc7aa4ee08accb34d34df1c547d477c0f7f0a2da Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@aboutcode.org>
Date: Tue, 14 Apr 2026 15:32:55 +0400
Subject: [PATCH 5/5] Add data migration for VCIO API v3

Signed-off-by: tdruez <tdruez@aboutcode.org>
---
 .../migrations/0080_vulnerablecode_v3_data.py | 34 +++++++++++++++++++
 scanpipe/tests/pipes/test_vulnerablecode.py   |  8 +++--
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 scanpipe/migrations/0080_vulnerablecode_v3_data.py

diff --git a/scanpipe/migrations/0080_vulnerablecode_v3_data.py b/scanpipe/migrations/0080_vulnerablecode_v3_data.py
new file mode 100644
index 0000000000..f89b0dd8c6
--- /dev/null
+++ b/scanpipe/migrations/0080_vulnerablecode_v3_data.py
@@ -0,0 +1,34 @@
+# Generated by Django 6.0.3 on 2026-04-14 11:10
+
+from django.db import migrations
+from django.db.models import Q
+
+
+def add_advisory_id(apps, schema_editor):
+    """Copy vulnerability_id to advisory_id in affected_by_vulnerabilities entries."""
+    DiscoveredPackage = apps.get_model("scanpipe", "DiscoveredPackage")
+    DiscoveredDependency = apps.get_model("scanpipe", "DiscoveredDependency")
+    EMPTY_VALUES = [None, [], ""]
+
+    vulnerable = ~Q(affected_by_vulnerabilities__in=EMPTY_VALUES)
+
+    for model in [DiscoveredPackage, DiscoveredDependency]:
+        for instance in model.objects.filter(vulnerable):
+            for entry in instance.affected_by_vulnerabilities:
+                if "advisory_id" not in entry:
+                    entry["advisory_id"] = entry.get("vulnerability_id", "")
+            instance.save(update_fields=["affected_by_vulnerabilities"])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('scanpipe', '0079_apitoken_data'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            add_advisory_id,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
diff --git a/scanpipe/tests/pipes/test_vulnerablecode.py b/scanpipe/tests/pipes/test_vulnerablecode.py
index 1797d4ab8e..df38f65ef9 100644
--- a/scanpipe/tests/pipes/test_vulnerablecode.py
+++ b/scanpipe/tests/pipes/test_vulnerablecode.py
@@ -79,10 +79,14 @@ def test_scanpipe_pipes_vulnerablecode_filter_vulnerabilities(self):
         vulnerability1 = vulnerability_data[0]
         self.assertEqual("PYSEC-2024-28", vulnerability1.get("advisory_id"))
         ignore_set = {vulnerability1.get("advisory_id")}
-        self.assertEqual(23, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
+        self.assertEqual(
+            23, len(filter_vulnerabilities(vulnerability_data, ignore_set))
+        )
 
         ignore_set = {vulnerability1.get("aliases")[0]}
-        self.assertEqual(23, len(filter_vulnerabilities(vulnerability_data, ignore_set)))
+        self.assertEqual(
+            23, len(filter_vulnerabilities(vulnerability_data, ignore_set))
+        )
 
     def test_scanpipe_pipes_vulnerablecode_chunked(self):
         result = list(chunked([1, 2, 3, 4, 5], 2))