Adress review comments

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/importer.py

@@ -110,7 +110,7 @@ def to_dict(self):
     @classmethod
     def from_dict(cls, ref: dict):
         return cls(
-            reference_id=ref["reference_id"],
+            reference_type=ref.get("reference_type") or "",
             reference_type=ref["reference_type"],
             url=ref["url"],
             severities=[

vulnerabilities/models.py

@@ -7,9 +7,11 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+import csv
 import hashlib
 import json
 import logging
+import xml.etree.ElementTree as ET
 from contextlib import suppress
 from functools import cached_property
 from itertools import groupby
@@ -20,6 +22,8 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from cwe2.database import Database
+from cwe2.mappings import xml_database_path
+from cwe2.weakness import Weakness as DBWeakness
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import UserManager
 from django.core import exceptions
@@ -46,7 +50,6 @@
 from univers.version_range import AlpineLinuxVersionRange
 from univers.versions import Version
 
-from aboutcode import hashid
 from vulnerabilities import utils
 from vulnerabilities.severity_systems import EPSS
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
@@ -467,14 +470,48 @@ def get_severity_vectors_and_values(self):
         return severity_vectors, severity_values
 
 
+def get_cwes(self):
+    """Yield CWE Weakness objects"""
+    for cwe_category in self.cwe_files:
+        cwe_category.seek(0)
+        reader = csv.DictReader(cwe_category)
+        for row in reader:
+            yield DBWeakness(*list(row.values())[0:-1])
+    tree = ET.parse(xml_database_path)
+    root = tree.getroot()
+    for tag_num in [1, 2]:  # Categories , Views
+        tag = root[tag_num]
+        for child in tag:
+            yield DBWeakness(
+                *[
+                    child.attrib["ID"],
+                    child.attrib.get("Name"),
+                    None,
+                    child.attrib.get("Status"),
+                    child[0].text,
+                ]
+            )
+
+
+Database.get_cwes = get_cwes
+
+
 class Weakness(models.Model):
     """
     A Common Weakness Enumeration model
     """
 
     cwe_id = models.IntegerField(help_text="CWE id")
     vulnerabilities = models.ManyToManyField(Vulnerability, related_name="weaknesses")
-    db = Database()
+
+    cwe_by_id = {}
+
+    def get_cwe(self, cwe_id):
+        if not self.cwe_by_id:
+            db = Database()
+            for weakness in db.get_cwes():
+                self.cwe_by_id[str(weakness.cwe_id)] = weakness
+        return self.cwe_by_id[cwe_id]
 
     @property
     def cwe(self):
@@ -486,7 +523,7 @@ def weakness(self):
         Return a queryset of Weakness for this vulnerability.
         """
         try:
-            weakness = self.db.get(self.cwe_id)
+            weakness = self.get_cwe(str(self.cwe_id))
             return weakness
         except Exception as e:
             logger.warning(f"Could not find CWE {self.cwe_id}: {e}")

vulnerabilities/templates/vulnerability_details.html

@@ -503,60 +503,48 @@
             </div>
 
 
-            {% for severity in severities %}
-            {% if severity.scoring_system == 'epss' %}
-                <div class="tab-div content" data-content="epss">
-                <div class="has-text-weight-bold tab-nested-div ml-1 mb-1 mt-1">
-                    Exploit Prediction Scoring System
-                </div>
-                <table class="table vcio-table width-100-pct mt-2">
+            <div class="tab-div content" data-content="epss">
+                {% if epss_data %}
+                    <div class="has-text-weight-bold tab-nested-div ml-1 mb-1 mt-1">
+                        Exploit Prediction Scoring System (EPSS)
+                    </div>
+                    <table class="table vcio-table width-100-pct mt-2">
                         <tbody>
                             <tr>
                                 <td class="two-col-left">
                                     <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
-                                            data-tooltip="the percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score">
-                                            Percentile
+                                          data-tooltip="The percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score">
+                                          Percentile
                                     </span>
                                 </td>
-                                <td class="two-col-right">{{ severity.scoring_elements }}</td>
+                                <td class="two-col-right">{{ epss_data.percentile }}</td>
                             </tr>
-
                             <tr>
                                 <td class="two-col-left">
                                     <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
-                                            data-tooltip="the EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication)">
-                                            EPSS score
+                                          data-tooltip="The EPSS score represents the probability [0-1] of exploitation in the wild in the next 30 days.">
+                                          EPSS Score
                                     </span>
                                 </td>
-                                <td class="two-col-right">{{ severity.value }}</td>
+                                <td class="two-col-right">{{ epss_data.score }}</td>
                             </tr>
-
-                        {% if  severity.published_at %}
+                            {% if epss_data.published_at %}
                             <tr>
                                 <td class="two-col-left">
-                                    <span
-                                    class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
-                                    data-tooltip="When was the time we fetched epss">
-                                    Published at
+                                    <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
+                                          data-tooltip="Date when the EPSS score was published.">
+                                          Published At
                                     </span>
                                 </td>
-                                <td class="two-col-right">{{ severity.published_at }}</td>
+                                <td class="two-col-right">{{ epss_data.published_at }}</td>
                             </tr>
-                        {% endif %}
-
+                            {% endif %}
                         </tbody>
-                </table>
+                    </table>
+                {% else %}
+                    <p>No EPSS data available for this vulnerability.</p>
+                {% endif %}
             </div>
-            {% endif %}
-        {% empty %}
-             <div class="tab-div content" data-content="epss">
-                  <tr>
-                        <td>
-                           There are no EPSS available.
-                        </td>
-                  </tr>
-             </div>
-        {% endfor %}
 
         <div class="tab-div content" data-content="history">
             <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">

vulnerabilities/views.py

@@ -156,26 +156,36 @@ class VulnerabilityDetails(DetailView):
     slug_field = "vulnerability_id"
 
     def get_queryset(self):
-        """
-        Prefetch and optimize related data to minimize database hits.
-        """
         return (
             super()
             .get_queryset()
             .select_related()
             .prefetch_related(
-                "references",
-                "aliases",
-                "weaknesses",
-                "severities",
-                "exploits",
                 Prefetch(
-                    "affecting_packages",
-                    queryset=models.Package.objects.only("type", "namespace", "name", "version"),
+                    "references",
+                    queryset=models.VulnerabilityReference.objects.only(
+                        "reference_id", "reference_type", "url"
+                    ),
                 ),
                 Prefetch(
-                    "fixed_by_packages",
-                    queryset=models.Package.objects.only("type", "namespace", "name", "version"),
+                    "aliases",
+                    queryset=models.Alias.objects.only("alias"),
+                ),
+                Prefetch(
+                    "weaknesses",
+                    queryset=models.Weakness.objects.only("cwe_id"),
+                ),
+                Prefetch(
+                    "severities",
+                    queryset=models.VulnerabilitySeverity.objects.only(
+                        "scoring_system", "value", "url", "scoring_elements", "published_at"
+                    ),
+                ),
+                Prefetch(
+                    "exploits",
+                    queryset=models.Exploit.objects.only(
+                        "data_source", "description", "required_action", "due_date", "notes"
+                    ),
                 ),
             )
         )
@@ -195,20 +205,35 @@ def get_context_data(self, **kwargs):
         ]
 
         valid_severities = self.object.severities.exclude(scoring_system=EPSS.identifier).filter(
-            scoring_elements__isnull=False, 
-            scoring_system__in=SCORING_SYSTEMS.keys()
+            scoring_elements__isnull=False, scoring_system__in=SCORING_SYSTEMS.keys()
         )
 
         severity_vectors = []
 
         for severity in valid_severities:
             try:
-                vector_values = SCORING_SYSTEMS[severity.scoring_system].get(severity.scoring_elements)
+                vector_values = SCORING_SYSTEMS[severity.scoring_system].get(
+                    severity.scoring_elements
+                )
                 if vector_values:
                     severity_vectors.append({"vector": vector_values, "origin": severity.url})
-            except (CVSS2MalformedError, CVSS3MalformedError, CVSS4MalformedError, NotImplementedError):
+            except (
+                CVSS2MalformedError,
+                CVSS3MalformedError,
+                CVSS4MalformedError,
+                NotImplementedError,
+            ):
                 logging.error(f"CVSSMalformedError for {severity.scoring_elements}")
 
+        epss_severity = vulnerability.severities.filter(scoring_system="epss").first()
+        epss_data = None
+        if epss_severity:
+            epss_data = {
+                "percentile": epss_severity.scoring_elements,
+                "score": epss_severity.value,
+                "published_at": epss_severity.published_at,
+            }
+
         context.update(
             {
                 "vulnerability": vulnerability,
@@ -220,6 +245,7 @@ def get_context_data(self, **kwargs):
                 "weaknesses": weaknesses_present_in_db,
                 "status": vulnerability.get_status_label,
                 "history": vulnerability.history,
+                "epss_data": epss_data,
             }
         )
         return context