Add SSVC trees, resource URL and max_advisories

CHANGELOG.rst

@@ -5,7 +5,10 @@ next release
 ---------------------
 
 - WARNING: Vulnerablecode V1 API and UI has stopped supporting Ubuntu OVAL advisories, please shift to V3 API for new Ubuntu advisories.
-- Add attribute ``pipeline_id`` to AdvisoryV2 to track the pipeline that created the advisory, also rename existing ``datasource_id`` and AVIDs. 
+- WARNING: We will deprecate improver pipelines for calculating package version rank and grouping advisories for packages in the next release, we are doing it at advisory import time instead of as separate pipelines, this will improve the performance and consistency of the data.
+- Calculate package verion rank, group advisories for packages and package risk score and advisory risk score during import of advisories.
+- Add attribute ``pipeline_id`` to AdvisoryV2 to track the pipeline that created the advisory, also rename existing ``datasource_id`` and AVIDs.
+
 
 Version v38.6.0
 ---------------------

vulnerabilities/improvers/__init__.py

@@ -9,30 +9,24 @@
 
 from vulnerabilities.improvers import valid_versions
 from vulnerabilities.improvers import vulnerability_status
-from vulnerabilities.pipelines import add_cvss31_to_CVEs
 from vulnerabilities.pipelines import compute_package_risk
 from vulnerabilities.pipelines import compute_package_version_rank
 from vulnerabilities.pipelines import enhance_with_exploitdb
 from vulnerabilities.pipelines import enhance_with_kev
 from vulnerabilities.pipelines import enhance_with_metasploit
 from vulnerabilities.pipelines import flag_ghost_packages
 from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
-from vulnerabilities.pipelines import remove_duplicate_advisories
 from vulnerabilities.pipelines.v2_improvers import archive_urls
 from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees
 from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
-from vulnerabilities.pipelines.v2_improvers import (
-    computer_package_version_rank as compute_version_rank_v2,
-)
 from vulnerabilities.pipelines.v2_improvers import enhance_with_exploitdb as exploitdb_v2
 from vulnerabilities.pipelines.v2_improvers import enhance_with_github_poc
 from vulnerabilities.pipelines.v2_improvers import enhance_with_kev as enhance_with_kev_v2
 from vulnerabilities.pipelines.v2_improvers import (
     enhance_with_metasploit as enhance_with_metasploit_v2,
 )
 from vulnerabilities.pipelines.v2_improvers import flag_ghost_packages as flag_ghost_packages_v2
-from vulnerabilities.pipelines.v2_improvers import group_advisories_for_packages
 from vulnerabilities.pipelines.v2_improvers import reference_collect_commits
 from vulnerabilities.pipelines.v2_improvers import relate_severities
 from vulnerabilities.pipelines.v2_improvers import unfurl_version_range as unfurl_version_range_v2
@@ -62,20 +56,16 @@
         enhance_with_exploitdb.ExploitDBImproverPipeline,
         compute_package_risk.ComputePackageRiskPipeline,
         compute_package_version_rank.ComputeVersionRankPipeline,
-        add_cvss31_to_CVEs.CVEAdvisoryMappingPipeline,
-        remove_duplicate_advisories.RemoveDuplicateAdvisoriesPipeline,
         populate_vulnerability_summary_pipeline.PopulateVulnerabilitySummariesPipeline,
         exploitdb_v2.ExploitDBImproverPipeline,
         enhance_with_kev_v2.VulnerabilityKevPipeline,
         flag_ghost_packages_v2.FlagGhostPackagePipeline,
         enhance_with_metasploit_v2.MetasploitImproverPipeline,
         compute_package_risk_v2.ComputePackageRiskPipeline,
-        compute_version_rank_v2.ComputeVersionRankPipeline,
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         collect_ssvc_trees.CollectSSVCPipeline,
         relate_severities.RelateSeveritiesPipeline,
         archive_urls.ArchiveImproverPipeline,
-        group_advisories_for_packages.GroupAdvisoriesForPackages,
         compute_advisory_todo_v2.ComputeToDo,
         reference_collect_commits.CollectReferencesFixCommitsPipeline,
         enhance_with_github_poc.GithubPocsImproverPipeline,

vulnerabilities/migrations/0133_alter_advisoryv2_advisory_id_alter_advisoryv2_avid_and_more.py

@@ -0,0 +1,48 @@
+# Generated by Django 5.2.11 on 2026-05-26 08:07
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0132_migrate_advisoryv2_datasource_ids"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="advisory_id",
+            field=models.CharField(
+                db_index=True,
+                help_text="An advisory is a unique vulnerability identifier in some database, such as PYSEC-2020-2233",
+                max_length=200,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="avid",
+            field=models.CharField(
+                help_text="Unique ID for the datasource used for this advisory .e.g.: pysec_importer_v2/PYSEC-2020-2233",
+                max_length=250,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="datasource_id",
+            field=models.CharField(
+                db_index=True,
+                help_text="Unique ID for the datasource used for this advisory .e.g.: nginx",
+                max_length=50,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="pipeline_id",
+            field=models.CharField(
+                db_index=True,
+                help_text="Unique ID for the pipeline used for this advisory .e.g.: nginx_importer_v2",
+                max_length=50,
+            ),
+        ),
+    ]

vulnerabilities/migrations/0134_alter_advisoryset_unique_together.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.11 on 2026-05-28 13:58
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0133_alter_advisoryv2_advisory_id_alter_advisoryv2_avid_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterUniqueTogether(
+            name="advisoryset",
+            unique_together={("package", "relation_type", "primary_advisory")},
+        ),
+    ]

vulnerabilities/migrations/0135_advisoryv2__all_impacts_unfurled.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.2.11 on 2026-06-01 10:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0134_alter_advisoryset_unique_together"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="_all_impacts_unfurled",
+            field=models.BooleanField(
+                default=False,
+                help_text="Indicates whether all impacts for this advisory have been unfurled.",
+            ),
+        ),
+    ]

vulnerabilities/migrations/0136_impactedpackage_vulnerabili_advisor_1e3414_idx.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.2.11 on 2026-06-01 11:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0135_advisoryv2__all_impacts_unfurled"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="impactedpackage",
+            index=models.Index(
+                fields=["advisory", "last_range_unfurl_at"], name="vulnerabili_advisor_1e3414_idx"
+            ),
+        ),
+    ]