wip

keshav-space · keshav-space · commit 1d4462d1d32d · 2026-06-26T19:04:41.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/vulnerabilities/migrations/0134_fix_osv_cvss_v3.py b/vulnerabilities/migrations/0134_fix_osv_cvss_v3.py
@@ -0,0 +1,25 @@
+# Generated by Django 5.2.11 on 2026-06-26 11:14
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0133_alter_advisorytodov2_issue_detail"),
+    ]
+
+    def update_cvss_scoring_system(apps, schema_editor):
+        AdvisorySeverity = apps.get_model("vulnerabilities", "AdvisorySeverity")
+
+        AdvisorySeverity.objects.filter(
+            scoring_system="cvssv3.1",
+            scoring_elements__startswith="CVSS:3.0/",
+        ).update(scoring_system="cvssv3")
+
+    operations = [
+        migrations.RunPython(
+            update_cvss_scoring_system,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
diff --git a/vulnerabilities/pipelines/v2_improvers/compute_advisory_todo.py b/vulnerabilities/pipelines/v2_improvers/compute_advisory_todo.py
@@ -8,7 +8,6 @@
 #
 
 
-import json
 from collections import Counter
 from collections import defaultdict
 from itertools import chain
@@ -28,8 +27,6 @@
 from vulnerabilities.models import ToDoRelatedAdvisoryV2
 from vulnerabilities.pipelines import VulnerableCodePipeline
 from vulnerabilities.pipes.advisory import advisories_checksum
-from vulnerabilities.severity_systems import CVSS4
-from vulnerabilities.severity_systems import CVSSV3
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
 from vulnerabilities.utils import canonical_value
 from vulnerabilities.utils import normalize_text
@@ -425,90 +422,6 @@ def detect_conflicting_cvss_scores(self):
             total_count_conflicting_advisory += count_conflicting_advisory
             total_successfully_compared_advisory_count += initial_advisory_group_size
 
-            # adv_by_cvss = {
-            #     "cvssv4": {},
-            #     "cvssv3": {},
-            #     "cvssv3.1": {},
-            # }
-            # cvss_version = {
-            #     "cvssv4": "4.0",
-            #     "cvssv3": "3.0",
-            #     "cvssv3.1": "3.1",
-            # }
-            # for v_type in ["cvssv4"]:
-            #     for avid, value in comparable_adv_map.items():
-            #         if value[v_type]:
-            #             adv_by_cvss[v_type][avid] = value
-
-            # all_conflict_items = []
-            # conflicting_advisories = []
-            # for v_type, item in adv_by_cvss.items():
-            #     if len(item) < 2:
-            #         continue
-            #     result = compute_cvss_disagreement(item, v_type)
-            #     if not result or result["purl_disagreement"]:
-            #         continue
-
-            #     if not result["cvssv_disagreement"]:
-            #         continue
-
-            #     consensus_metrics = {}
-            #     vectors = [
-            #         adv_by_cvss_value[f"{v_type}_vector"] for adv_by_cvss_value in item.values()
-            #     ]
-            #     if len(vectors) == len(item):
-            #         if v_type == "cvssv4":
-            #             consensus_metrics = consensus_cvss3_metric(vectors)
-            #         else:
-            #             consensus_metrics = consensus_cvss4_metric(vector)
-
-            #     conflicting_advisories.extend([advisory_avid_map[avid] for avid in item])
-            #     conflict_item = {
-            #         # fix me
-            #         "cvss": cvss_version[v_type],
-            #         "partial_cvss_curation": consensus_metrics,
-            #         "advisories": [advisory_curation_item_map[avid][v_type] for avid in item],
-            #     }
-            #     all_conflict_items.append(conflict_item)
-
-            # if not all_conflict_items:
-            #     continue
-
-            # issue_detail = {
-            #     "alias": alias.alias,
-            #     # "conflict_checksum": conflict_checksum,
-            #     # "conflict_details": conflicting_package_details,
-            #     # "partial_curation_advisory": partial_merged_advisory,
-            #     "curation_items": all_conflict_items,
-            # }
-
-            # todo_id = advisories_checksum(conflicting_advisories)
-
-            # if todo_id in existing_todo_ids:
-            #     continue
-
-            # existing_todo_ids.add(todo_id)
-            # conflicting_advisories_count = len(conflicting_advisories)
-
-            # date_published = min(
-            #     (a.date_published for a in conflicting_advisories if a.date_published),
-            #     default=None,
-            # )
-            # date_collected = min(
-            #     (a.date_collected for a in conflicting_advisories if a.date_collected),
-            #     default=None,
-            # )
-            # todo = AdvisoryToDoV2(
-            #     related_advisories_id=todo_id,
-            #     issue_type="CONFLICTING_SEVERITY_SCORES",
-            #     issue_detail=issue_detail,
-            #     alias=alias,
-            #     advisories_count=conflicting_advisories_count,
-            #     oldest_advisory_date=date_published or date_collected,
-            # )
-            # todo_to_create.append(todo)
-            # advisory_relation_to_create[todo_id] = conflicting_advisories
-
             if len(todo_to_create) > batch_size:
                 new_todos_count += bulk_create_with_m2m(
                     todos=todo_to_create,
@@ -643,13 +556,13 @@ def get_grouped_advisory_curation(advisory_curation_item_map, cvss_type, advisor
         vector = advisory_curation_item_map[avid][cvss_type]["vector_string"] or str(count)
         vector_group[vector].append((avid, advisories[avid].precedence))
 
-    for avids in vector_group.values():
-        sorted_avids = [x[0] for x in sorted(avids, key=lambda x: x[1], reverse=True)]
+    for avid_precedence in vector_group.values():
+        sorted_avids = [x[0] for x in sorted(avid_precedence, key=lambda x: x[1], reverse=True)]
         primary_avid = sorted_avids[0]
         curation_items.append(
             {
                 "primary": advisory_curation_item_map[primary_avid][cvss_type],
-                "secondaries": [advisory_curation_item_map[a][cvss_type] for a in avids[1:]],
+                "secondaries": [advisory_curation_item_map[a][cvss_type] for a in sorted_avids[1:]],
             }
         )
 
diff --git a/vulnerabilities/pipes/osv_v2.py b/vulnerabilities/pipes/osv_v2.py
@@ -269,9 +269,12 @@ def get_severities(raw_data, url) -> Iterable[VulnerabilitySeverity]:
                 continue
 
             severity_type = OSV_TO_VCIO_SEVERITY_MAP.get(severity_type, severity_type)
-            system = SCORING_SYSTEMS[severity_type]
 
-            if severity_type in ["cvssv3.1", "cvssv4"]:
+            if value.lower().startswith("cvss:3.0/"):
+                severity_type = "cvssv3"
+
+            system = SCORING_SYSTEMS[severity_type]
+            if severity_type in ["cvssv3", "cvssv3.1", "cvssv4"]:
                 scoring_element = value
                 valid_vector = value[:-1] if value and value.endswith("/") else value
                 value = system.compute(valid_vector)
diff --git a/vulnerabilities/templates/cvss_curation.html b/vulnerabilities/templates/cvss_curation.html
@@ -352,7 +352,7 @@ <h4 class="title is-4 mb-1" id="current-cvss"></h4>
             const header = document.getElementById('table-header');
             
             header.innerHTML = `
-                <th class="has-text-weight-bold has-text-centered pt-4 is-size-6">CVSS ${item.cvss} Metric</th>
+                <th class="has-text-weight-bold has-text-centered pt-4 is-size-6">CVSS ${item.cvss} Metrics</th>
                 <th style="width: 140px;" class="has-text-centered">
                 <div>
                     <div>
