aboutcode-org
diff --git a/‎vulnerabilities/migrations/0115_impactedpackageaffecting_and_more.py‎
Lines changed: 107 additions & 0 deletions b/‎vulnerabilities/migrations/0115_impactedpackageaffecting_and_more.py‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎vulnerabilities/models.py‎
Lines changed: 49 additions & 3 deletions b/‎vulnerabilities/models.py‎
Lines changed: 49 additions & 3 deletions
diff --git a/‎vulnerabilities/pipelines/enhance_with_exploitdb.py‎
Lines changed: 8 additions & 11 deletions b/‎vulnerabilities/pipelines/enhance_with_exploitdb.py‎
Lines changed: 8 additions & 11 deletions
diff --git a/‎vulnerabilities/pipelines/enhance_with_kev.py‎
Lines changed: 22 additions & 19 deletions b/‎vulnerabilities/pipelines/enhance_with_kev.py‎
Lines changed: 22 additions & 19 deletions
diff --git a/‎vulnerabilities/pipelines/enhance_with_metasploit.py‎
Lines changed: 6 additions & 8 deletions b/‎vulnerabilities/pipelines/enhance_with_metasploit.py‎
Lines changed: 6 additions & 8 deletions
@@ -0,0 +1,107 @@
+# Generated by Django 5.2.11 on 2026-02-19 11:12
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0114_advisoryv2_related_advisory_severities"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="affecting_packages",
+        ),
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="fixed_by_packages",
+        ),
+        migrations.AlterField(
+            model_name="advisoryv2",
+            name="date_collected",
+            field=models.DateTimeField(
+                auto_now_add=True,
+                db_index=True,
+                help_text="UTC Date on which the advisory was collected",
+            ),
+        ),
+        migrations.CreateModel(
+            name="ImpactedPackageAffecting",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True, db_index=True)),
+                (
+                    "impacted_package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="vulnerabilities.impactedpackage",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.packagev2"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("impacted_package", "package")},
+            },
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="affecting_packages",
+            field=models.ManyToManyField(
+                help_text="Packages vulnerable to this impact.",
+                related_name="affected_in_impacts",
+                through="vulnerabilities.ImpactedPackageAffecting",
+                to="vulnerabilities.packagev2",
+            ),
+        ),
+        migrations.CreateModel(
+            name="ImpactedPackageFixedBy",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True, db_index=True)),
+                (
+                    "impacted_package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="vulnerabilities.impactedpackage",
+                    ),
+                ),
+                (
+                    "package",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.packagev2"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("impacted_package", "package")},
+            },
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="fixed_by_packages",
+            field=models.ManyToManyField(
+                help_text="Packages fixing the vulnerable packages in this impact.",
+                related_name="fixed_in_impacts",
+                through="vulnerabilities.ImpactedPackageFixedBy",
+                to="vulnerabilities.packagev2",
+            ),
+        ),
+    ]
@@ -2961,9 +2961,15 @@ class AdvisoryV2(models.Model):
     )
 
     date_published = models.DateTimeField(
-        blank=True, null=True, help_text="UTC Date of publication of the advisory"
+        blank=True,
+        null=True,
+        help_text="UTC Date of publication of the advisory",
+    )
+    date_collected = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+        help_text="UTC Date on which the advisory was collected",
     )
-    date_collected = models.DateTimeField(help_text="UTC Date on which the advisory was collected")
 
     original_advisory_text = models.TextField(
         blank=True,
@@ -3137,13 +3143,15 @@ class ImpactedPackage(models.Model):
     affecting_packages = models.ManyToManyField(
         "PackageV2",
         related_name="affected_in_impacts",
+        through="ImpactedPackageAffecting",
         help_text="Packages vulnerable to this impact.",
     )
 
     fixed_by_packages = models.ManyToManyField(
         "PackageV2",
         related_name="fixed_in_impacts",
-        help_text="Packages vulnerable to this impact.",
+        through="ImpactedPackageFixedBy",
+        help_text="Packages fixing the vulnerable packages in this impact.",
     )
 
     introduced_by_package_commit_patches = models.ManyToManyField(
@@ -3491,6 +3499,44 @@ def current_version(self):
         return self.version_class(self.version)
 
 
+class ImpactedPackageAffecting(models.Model):
+    impacted_package = models.ForeignKey(
+        ImpactedPackage,
+        on_delete=models.CASCADE,
+    )
+    package = models.ForeignKey(
+        PackageV2,
+        on_delete=models.CASCADE,
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+    )
+
+    class Meta:
+        unique_together = ("impacted_package", "package")
+
+
+class ImpactedPackageFixedBy(models.Model):
+    impacted_package = models.ForeignKey(
+        ImpactedPackage,
+        on_delete=models.CASCADE,
+    )
+    package = models.ForeignKey(
+        PackageV2,
+        on_delete=models.CASCADE,
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True,
+        db_index=True,
+    )
+
+    class Meta:
+        unique_together = ("impacted_package", "package")
+
+
 class AdvisoryExploit(models.Model):
     """
     A vulnerability exploit is code used to
 
@@ -78,19 +78,16 @@ def add_exploit(self):
 
 
 def add_vulnerability_exploit(row, logger):
-    vulnerabilities = set()
-
     aliases = row["codes"].split(";") if row["codes"] else []
 
     if not aliases:
         return 0
 
-    for raw_alias in aliases:
-        try:
-            if alias := Alias.objects.get(alias=raw_alias):
-                vulnerabilities.add(alias.vulnerability)
-        except Alias.DoesNotExist:
-            continue
+    vulnerabilities = (
+        Alias.objects.filter(alias__in=aliases, vulnerability__isnull=False)
+        .values_list("vulnerability_id", flat=True)
+        .distinct()
+    )
 
     if not vulnerabilities:
         logger(f"No vulnerability found for aliases {aliases}")
@@ -104,7 +101,7 @@ def add_vulnerability_exploit(row, logger):
         add_exploit_references(row["codes"], row["source_url"], row["file"], vulnerability, logger)
         try:
             Exploit.objects.update_or_create(
-                vulnerability=vulnerability,
+                vulnerability_id=vulnerability,
                 data_source="Exploit-DB",
                 defaults={
                     "date_added": date_added,
@@ -125,7 +122,7 @@ def add_vulnerability_exploit(row, logger):
     return 1
 
 
-def add_exploit_references(ref_id, direct_url, path, vul, logger):
+def add_exploit_references(ref_id, direct_url, path, vul_id, logger):
     url_map = {
         "file_url": f"https://gitlab.com/exploit-database/exploitdb/-/blob/main/{path}",
         "direct_url": direct_url,
@@ -144,7 +141,7 @@ def add_exploit_references(ref_id, direct_url, path, vul, logger):
 
                 if created:
                     VulnerabilityRelatedReference.objects.get_or_create(
-                        vulnerability=vul,
+                        vulnerability_id=vul_id,
                         reference=ref,
                     )
 
 
@@ -71,26 +71,29 @@ def add_vulnerability_exploit(kev_vul, logger):
     if not cve_id:
         return 0
 
-    vulnerability = None
-    try:
-        if alias := Alias.objects.get(alias=cve_id):
-            vulnerability = alias.vulnerability
-    except Alias.DoesNotExist:
+    vulnerabilities = (
+        Alias.objects.filter(alias=cve_id, vulnerability__isnull=False)
+        .values_list("vulnerability", flat=True)
+        .distinct()
+    )
+
+    if not vulnerabilities:
         logger(f"No vulnerability found for aliases {cve_id}")
         return 0
 
-    Exploit.objects.update_or_create(
-        vulnerability=vulnerability,
-        data_source="KEV",
-        defaults={
-            "description": kev_vul["shortDescription"],
-            "date_added": kev_vul["dateAdded"],
-            "required_action": kev_vul["requiredAction"],
-            "due_date": kev_vul["dueDate"],
-            "notes": kev_vul["notes"],
-            "known_ransomware_campaign_use": True
-            if kev_vul["knownRansomwareCampaignUse"] == "Known"
-            else False,
-        },
-    )
+    for vulnerability in vulnerabilities:
+        Exploit.objects.update_or_create(
+            vulnerability_id=vulnerability,
+            data_source="KEV",
+            defaults={
+                "description": kev_vul["shortDescription"],
+                "date_added": kev_vul["dateAdded"],
+                "required_action": kev_vul["requiredAction"],
+                "due_date": kev_vul["dueDate"],
+                "notes": kev_vul["notes"],
+                "known_ransomware_campaign_use": True
+                if kev_vul["knownRansomwareCampaignUse"] == "Known"
+                else False,
+            },
+        )
     return 1
@@ -66,7 +66,6 @@ def add_vulnerability_exploits(self):
 
 
 def add_vulnerability_exploit(record, logger):
-    vulnerabilities = set()
     references = record.get("references", [])
 
     interesting_references = [
@@ -76,12 +75,11 @@ def add_vulnerability_exploit(record, logger):
     if not interesting_references:
         return 0
 
-    for ref in interesting_references:
-        try:
-            if alias := Alias.objects.get(alias=ref):
-                vulnerabilities.add(alias.vulnerability)
-        except Alias.DoesNotExist:
-            continue
+    vulnerabilities = (
+        Alias.objects.filter(alias__in=interesting_references, vulnerability__isnull=False)
+        .values_list("vulnerability", flat=True)
+        .distinct()
+    )
 
     if not vulnerabilities:
         logger(f"No vulnerability found for aliases {interesting_references}")
@@ -107,7 +105,7 @@ def add_vulnerability_exploit(record, logger):
 
     for vulnerability in vulnerabilities:
         Exploit.objects.update_or_create(
-            vulnerability=vulnerability,
+            vulnerability_id=vulnerability,
             data_source="Metasploit",
             defaults={
                 "description": description,