aboutcode-org · tdruez · Dec 27, 2024 · Dec 19, 2024 · Dec 20, 2024 · Dec 20, 2024
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -67,6 +67,19 @@ Release notes
   menu.
   https://github.com/aboutcode-org/dejacode/issues/107
 
+- Add exposure_factor field to the ProductItemPurpose model and a weighted_risk_score
+  on the ProductPackage model.
+  The weighted_risk_score is computed from the package.risk_score and
+  purpose.exposure_factor values.
+  https://github.com/aboutcode-org/dejacode/issues/102
+
+- Add the vulnerability icon in Product list view.
+  A "Is Vulnerable" filter is also available.
+  The count in the Vulnerability tab was improve to include the count of affected
+  packages and the count of unique vulnerabilities.
+  Note that those count reflect the current risk threshold.
+  https://github.com/aboutcode-org/dejacode/issues/102
+
 ### Version 5.2.1
 
 - Fix the models documentation navigation.

diff --git a/component_catalog/filters.py b/component_catalog/filters.py
@@ -43,6 +43,15 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
 
+class IsVulnerableBooleanFilter(IsVulnerableFilter):
+    def filter(self, qs, value):
+        if value == "yes":
+            return qs.filter(**{f"{self.field_name}": True})
+        elif value == "no":
+            return qs.filter(**{f"{self.field_name}": False})
+        return qs
+
+
 class ComponentFilterSet(DataspacedFilterSet):
     related_only = [
         "licenses",

diff --git a/dejacode/static/css/dejacode_bootstrap.css b/dejacode/static/css/dejacode_bootstrap.css
@@ -385,7 +385,7 @@ table.vulnerabilities-table .column-summary {
 
 /* -- Vulnerability tab -- */
 #tab_vulnerabilities .column-vulnerability_id {
-  width: 210px;
+  width: 230px;
 }
 #tab_vulnerabilities .column-affected_packages {
   min-width: 250px;
@@ -396,23 +396,24 @@ table.vulnerabilities-table .column-summary {
 #tab_vulnerabilities .column-weighted_severity {
   width: 105px;
 }
-#tab_vulnerabilities .column-risk_score {
+#tab_vulnerabilities .column-risk_score,
+#tab_vulnerabilities .column-weighted_risk_score{
   width: 80px;
 }
 #tab_vulnerabilities .column-summary {
   width: 300px;
 }
 #tab_vulnerabilities .column-vulnerability_analyses__state {
-  min-width: 105px;
+  min-width: 125px;
 }
 #tab_vulnerabilities .column-vulnerability_analyses__justification {
   min-width: 130px;
 }
 #tab_vulnerabilities .column-vulnerability_analyses__responses {
-  min-width: 120px;
+  width: 185px;
 }
 #tab_vulnerabilities .column-vulnerability_analyses__is_reachable {
-  min-width: 80px;
+  width: 80px;
 }
 /* -- Vulnerability analysis modal -- */
 #vulnerability-analysis-modal #div_id_responses .form-check {

diff --git a/dje/models.py b/dje/models.py
@@ -863,15 +863,38 @@ def update_from_data(self, user, data, override=False, override_unknown=False):
 
     def update(self, **kwargs):
         """
-        Update this instance with the provided ``kwargs`` values.
-        The full ``save()`` process will be triggered, including signals, and the
-        ``update_fields`` is automatically set.
+        Update this instance with the provided field values.
+
+        This method modifies the specified fields on the current instance and triggers
+        the full ``save()`` lifecycle, including calling signals like ``pre_save`` and
+        ``post_save``.
+        The ``update_fields`` parameter is automatically set to limit the save
+        operation to the updated fields.
         """
         for field_name, value in kwargs.items():
             setattr(self, field_name, value)
 
         self.save(update_fields=list(kwargs.keys()))
 
+    def raw_update(self, **kwargs):
+        """
+         Perform a direct SQL UPDATE on this instance.
+
+        This method updates the specified fields in the database without triggering
+        the ``save()`` lifecycle or related signals. It bypasses field validation and
+        other ORM hooks for improved performance, but requires careful usage to avoid
+        inconsistent states.
+
+        The instance's in-memory attributes are updated to reflect the changes.
+        """
+        updated_rows = self.__class__.objects.filter(pk=self.pk).update(**kwargs)
+
+        # Update the instance's attributes in memory
+        for field_name, value in kwargs.items():
+            setattr(self, field_name, value)
+
+        return updated_rows
+
     def as_json(self):
         try:
             serialized_data = serialize(

diff --git a/dje/templates/tabs/pagination.html b/dje/templates/tabs/pagination.html
@@ -4,7 +4,7 @@
     <ul class="nav nav-pills">
       <li class="nav-item">
         <form id="tab-{{ tab_id }}-search-form" class="mt-md-0 me-sm-2">
-          <input style="width: 250px;" type="text" class="form-control form-control-sm" id="tab-{{ tab_id }}-search-input" name="{{ tab_id }}-q" placeholder="Search {{ tab_id }}" aria-label="Search" autocomplete="off" value="{{ search_query|escape }}">
+          <input style="width: 250px;" type="text" class="form-control form-control-sm" id="tab-{{ tab_id }}-search-input" name="{{ tab_id }}-q" placeholder="Search {% if search_verbose_name %}{{ search_verbose_name }}{% else %}{{ tab_id }}{% endif %}" aria-label="Search" autocomplete="off" value="{{ search_query|escape }}">
         </form>
       </li>
       <li class="nav-item">

diff --git a/dje/tests/testfiles/test_dataset_pp_only.json b/dje/tests/testfiles/test_dataset_pp_only.json
@@ -125,7 +125,8 @@
     "icon": "",
     "color_code": "",
     "label": "Core",
-    "text": "The functional code used to execute the application features of the product."
+    "text": "The functional code used to execute the application features of the product.",
+    "exposure_factor": null
   }
 },
 {
@@ -157,6 +158,7 @@
     ],
     "feature": "",
     "issue_ref": "",
+    "weighted_risk_score": null,
     "component": null,
     "license_expression": "apache-2.0",
     "name": "c1",
@@ -197,6 +199,7 @@
     ],
     "feature": "",
     "issue_ref": "",
+    "weighted_risk_score": null,
     "package": [
       "nexB",
       "b91a9a06-b709-45a4-ac8e-a57bde0c8f38"

diff --git a/docs/images/howto-4-product-vulnerability-analysis/vulnerabilities-tab.jpg b/docs/images/howto-4-product-vulnerability-analysis/vulnerabilities-tab.jpg
diff --git a/docs/images/howto-4-product-vulnerability-analysis/vulnerability-row.jpg b/docs/images/howto-4-product-vulnerability-analysis/vulnerability-row.jpg
diff --git a/docs/images/reference-vulnerability-management/risk-threshold-link.jpg b/docs/images/reference-vulnerability-management/risk-threshold-link.jpg
diff --git a/docs/images/reference-vulnerability-management/vulnerabilities-tab-product.jpg b/docs/images/reference-vulnerability-management/vulnerabilities-tab-product.jpg
diff --git a/docs/images/tutorial-4-vulnerabilities/vulnerabilities-tab-with-analysis.jpg b/docs/images/tutorial-4-vulnerabilities/vulnerabilities-tab-with-analysis.jpg
diff --git a/docs/images/tutorial-4-vulnerabilities/vulnerabilities-tab.jpg b/docs/images/tutorial-4-vulnerabilities/vulnerabilities-tab.jpg
diff --git a/product_portfolio/admin.py b/product_portfolio/admin.py
@@ -143,6 +143,7 @@ class ProductItemPurposeAdmin(ColoredIconAdminMixin, BaseStatusAdmin):
         AsColored("color_code"),
         "colored_icon",
         "default_on_addition",
+        "exposure_factor",
         "get_dataspace",
     )
     fieldsets = (
@@ -155,6 +156,7 @@ class ProductItemPurposeAdmin(ColoredIconAdminMixin, BaseStatusAdmin):
                     "icon",
                     "color_code",
                     "default_on_addition",
+                    "exposure_factor",
                     "dataspace",
                     "uuid",
                 )

diff --git a/product_portfolio/filters.py b/product_portfolio/filters.py
@@ -14,6 +14,7 @@
 import django_filters
 from packageurl.contrib.django.utils import purl_to_lookups
 
+from component_catalog.filters import IsVulnerableBooleanFilter
 from component_catalog.filters import IsVulnerableFilter
 from component_catalog.models import ComponentKeyword
 from component_catalog.programming_languages import PROGRAMMING_LANGUAGES
@@ -36,6 +37,7 @@
 from vulnerabilities.filters import RISK_SCORE_RANGES
 from vulnerabilities.filters import ScoreRangeFilter
 from vulnerabilities.models import Vulnerability
+from vulnerabilities.models import VulnerabilityAnalysisMixin
 
 
 class ProductFilterSet(DataspacedFilterSet):
@@ -107,8 +109,8 @@ class ProductFilterSet(DataspacedFilterSet):
             search_placeholder="Search keywords",
         ),
     )
-    is_vulnerable = IsVulnerableFilter(
-        field_name="packages__affected_by_vulnerabilities",
+    is_vulnerable = IsVulnerableBooleanFilter(
+        label=_("Is Vulnerable"),
         widget=DropDownRightWidget(link_content='<i class="fas fa-bug"></i>'),
     )
     affected_by = django_filters.CharFilter(
@@ -129,6 +131,10 @@ class Meta:
 
 class BaseProductRelationFilterSet(DataspacedFilterSet):
     field_name_prefix = None
+    dropdown_fields = [
+        "is_modified",
+        "weighted_risk_score",
+    ]
     is_deployed = BooleanChoiceFilter(
         empty_label="All (Inventory)",
         choices=(
@@ -161,7 +167,7 @@ class BaseProductRelationFilterSet(DataspacedFilterSet):
         label=_("Severity"),
         score_ranges=RISK_SCORE_RANGES,
     )
-    risk_score = ScoreRangeFilter(
+    weighted_risk_score = ScoreRangeFilter(
         label=_("Risk score"),
         score_ranges=RISK_SCORE_RANGES,
     )
@@ -192,12 +198,8 @@ def __init__(self, *args, **kwargs):
         self.filters["purpose"].extra["to_field_name"] = "label"
         self.filters["purpose"].extra["widget"] = DropDownWidget(anchor=self.anchor)
 
-        self.filters["is_modified"].extra["widget"] = DropDownWidget(
-            anchor=self.anchor, right_align=True
-        )
-
         field_name_prefix = self.field_name_prefix
-        for field_name in ["exploitability", "weighted_severity", "risk_score"]:
+        for field_name in ["exploitability", "weighted_severity"]:
             field = self.filters[field_name]
             field.extra["widget"] = DropDownWidget(anchor=self.anchor)
             field.field_name = f"{field_name_prefix}__{field_name}"
@@ -249,6 +251,14 @@ class Meta:
 
 class ProductPackageFilterSet(BaseProductRelationFilterSet):
     field_name_prefix = "package"
+    dropdown_fields = [
+        "is_modified",
+        "weighted_risk_score",
+        "vulnerability_analyses__state",
+        "vulnerability_analyses__justification",
+        "responses",
+        "is_reachable",
+    ]
     q = SearchFilter(
         label=_("Search"),
         search_fields=[
@@ -274,6 +284,7 @@ class ProductPackageFilterSet(BaseProductRelationFilterSet):
             "feature",
             "is_deployed",
             "is_modified",
+            "weighted_risk_score",
         ],
     )
     is_vulnerable = IsVulnerableFilter(
@@ -282,6 +293,20 @@ class ProductPackageFilterSet(BaseProductRelationFilterSet):
             anchor="#inventory", right_align=True, link_content='<i class="fas fa-bug"></i>'
         ),
     )
+    responses = django_filters.ChoiceFilter(
+        field_name="vulnerability_analyses__responses",
+        lookup_expr="icontains",
+        choices=VulnerabilityAnalysisMixin.Response.choices,
+    )
+    is_reachable = BooleanChoiceFilter(
+        field_name="vulnerability_analyses__is_reachable",
+        empty_label="All",
+        choices=(
+            ("yes", _("Reachable")),
+            ("no", _("Not reachable")),
+            ("unknown", _("Reachability not known")),
+        ),
+    )
 
     class Meta:
         model = ProductPackage
@@ -291,8 +316,17 @@ class Meta:
             "object_type",
             "is_deployed",
             "is_modified",
+            "vulnerability_analyses__state",
+            "vulnerability_analyses__justification",
+            "is_reachable",
+            "exploitability",
         ]
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.filters["vulnerability_analyses__state"].extra["null_label"] = "(No values)"
+        self.filters["vulnerability_analyses__justification"].extra["null_label"] = "(No values)"
+
 
 class ComponentCompletenessListFilter(admin.SimpleListFilter):
     """

diff --git a/product_portfolio/migrations/0010_productcomponent_weighted_risk_score_and_more.py b/product_portfolio/migrations/0010_productcomponent_weighted_risk_score_and_more.py
@@ -0,0 +1,93 @@
+# Generated by Django 5.0.9 on 2024-12-24 14:37
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('product_portfolio', '0009_product_vulnerabilities_risk_threshold'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='productcomponent',
+            name='weighted_risk_score',
+            field=models.DecimalField(blank=True, decimal_places=1, help_text="Risk score (0.0 to 10.0), where higher values indicate greater vulnerability. Calculated as the weighted severity times exploitability (capped at 10), adjusted by the exposure risk factor of the product item's purpose.", max_digits=3, null=True),
+        ),
+        migrations.AddField(
+            model_name='productitempurpose',
+            name='exposure_factor',
+            field=models.DecimalField(blank=True, decimal_places=1, help_text='A number between 0.0 and 1.0 that identifies the vulnerability exposure risk of a package as it is actually used in the context of a product, with 1.0 being the highest exposure risk and 0.0 being no exposure risk at all.', max_digits=2, null=True, validators=[django.core.validators.MaxValueValidator(1.0), django.core.validators.MinValueValidator(0.0)]),
+        ),
+        migrations.AddField(
+            model_name='productpackage',
+            name='weighted_risk_score',
+            field=models.DecimalField(blank=True, decimal_places=1, help_text="Risk score (0.0 to 10.0), where higher values indicate greater vulnerability. Calculated as the weighted severity times exploitability (capped at 10), adjusted by the exposure risk factor of the product item's purpose.", max_digits=3, null=True),
+        ),
+        migrations.RunSQL(
+            """
+            DROP VIEW IF EXISTS product_portfolio_productinventoryitem;
+            CREATE VIEW product_portfolio_productinventoryitem
+            AS
+              SELECT
+                pc.uuid,
+                pc.component_id,
+                NULL as package_id,
+                CONCAT(component.name, ' ', component.version) as item,
+                'component' as item_type,
+                pc.dataspace_id,
+                pc.product_id,
+                pc.review_status_id,
+                pc.feature,
+                component.usage_policy_id,
+                pc.created_date,
+                pc.last_modified_date,
+                pc.reference_notes,
+                pc.purpose_id,
+                pc.notes,
+                pc.is_deployed,
+                pc.is_modified,
+                pc.extra_attribution_text,
+                pc.package_paths,
+                pc.issue_ref,
+                pc.weighted_risk_score,
+                pc.license_expression,
+                pc.created_by_id,
+                pc.last_modified_by_id
+              FROM product_portfolio_productcomponent AS pc
+              INNER JOIN component_catalog_component AS component ON pc.component_id=component.id
+              UNION ALL
+              SELECT
+                pp.uuid,
+                NULL as component_id,
+                pp.package_id,
+                package.filename as item,
+                'package' as item_type,
+                pp.dataspace_id,
+                pp.product_id,
+                pp.review_status_id,
+                pp.feature,
+                package.usage_policy_id,
+                pp.created_date,
+                pp.last_modified_date,
+                pp.reference_notes,
+                pp.purpose_id,
+                pp.notes,
+                pp.is_deployed,
+                pp.is_modified,
+                pp.extra_attribution_text,
+                pp.package_paths,
+                pp.issue_ref,
+                pp.weighted_risk_score,
+                pp.license_expression,
+                pp.created_by_id,
+                pp.last_modified_by_id
+              FROM product_portfolio_productpackage AS pp
+              INNER JOIN component_catalog_package AS package ON pp.package_id=package.id
+            ;
+            """,
+            reverse_sql="DROP VIEW IF EXISTS product_portfolio_productinventoryitem;"
+        ),
+    ]