feat: detect advisory conflicts at package alias intersections and compute partially curated advisories

setup.cfg

@@ -98,10 +98,12 @@ install_requires =
     django-rq==2.10.1
     rq-scheduler==0.13.1
 
+    # redhat pipeline
+    extractcode[full]==31.0.0
+
     #vulntotal
     python-dotenv==0.20.0
     texttable==1.6.4
-    extractcode[full]==31.0.0
 
     #hashid
     uritemplate==4.2.0

vulnerabilities/importers/__init__.py

@@ -32,6 +32,7 @@
 from vulnerabilities.importers import ubuntu_usn
 from vulnerabilities.importers import vulnrichment
 from vulnerabilities.importers import xen
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.pipelines import alpine_linux_importer
 from vulnerabilities.pipelines import github_importer
 from vulnerabilities.pipelines import gitlab_importer
@@ -189,3 +190,9 @@
         collect_fix_commits_v2.CollectGitlabFixCommitsPipeline,
     ]
 )
+
+TODO_EXCLUDED_PIPELINES = [
+    key
+    for key, value in IMPORTERS_REGISTRY.items()
+    if issubclass(value, VulnerableCodeBaseImporterPipelineV2) and value.exclude_from_package_todo
+]

vulnerabilities/improvers/__init__.py

@@ -19,6 +19,7 @@
 from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
 from vulnerabilities.pipelines import remove_duplicate_advisories
 from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees
+from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
 from vulnerabilities.pipelines.v2_improvers import (
     computer_package_version_rank as compute_version_rank_v2,
@@ -72,5 +73,6 @@
         collect_ssvc_trees.CollectSSVCPipeline,
         relate_severities.RelateSeveritiesPipeline,
         group_advisories_for_packages.GroupAdvisoriesForPackages,
+        compute_advisory_todo_v2.ComputeToDo,
     ]
 )

vulnerabilities/migrations/0124_advisorytodov2_todorelatedadvisoryv2_and_more.py

@@ -0,0 +1,177 @@
+# Generated by Django 5.2.11 on 2026-04-27 03:35
+
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0123_alter_packagev2_options_alter_packagev2_package_url_and_more"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="AdvisoryToDoV2",
+        ),
+        migrations.DeleteModel(
+            name="ToDoRelatedAdvisoryV2",
+        ),
+        migrations.CreateModel(
+            name="AdvisoryToDoV2",
+            fields=[
+                (
+                    "todo_id",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "related_advisories_id",
+                    models.CharField(
+                        help_text="SHA1 digest of the unique_content_id field of the applicable advisories.",
+                        max_length=40,
+                    ),
+                ),
+                (
+                    "alias",
+                    models.CharField(
+                        db_index=True,
+                        help_text="Alias associated with TODO advisories",
+                        max_length=50,
+                    ),
+                ),
+                (
+                    "advisories_count",
+                    models.IntegerField(
+                        db_index=True,
+                        default=1,
+                        help_text="Number of advisory associated with this TODO.",
+                    ),
+                ),
+                (
+                    "issue_type",
+                    models.CharField(
+                        choices=[
+                            ("MISSING_AFFECTED_PACKAGE", "Advisory is missing affected package"),
+                            ("MISSING_FIXED_BY_PACKAGE", "Advisory is missing fixed-by package"),
+                            (
+                                "MISSING_AFFECTED_AND_FIXED_BY_PACKAGES",
+                                "Advisory is missing both affected and fixed-by packages",
+                            ),
+                            ("MISSING_SUMMARY", "Advisory is missing summary"),
+                            (
+                                "CONFLICTING_FIXED_BY_PACKAGES",
+                                "Advisories have conflicting fixed-by packages",
+                            ),
+                            (
+                                "CONFLICTING_AFFECTED_PACKAGES",
+                                "Advisories have conflicting affected packages",
+                            ),
+                            (
+                                "CONFLICTING_AFFECTED_AND_FIXED_BY_PACKAGES",
+                                "Advisories have conflicting affected and fixed-by packages",
+                            ),
+                            (
+                                "CONFLICTING_SEVERITY_SCORES",
+                                "Advisories have conflicting severity scores",
+                            ),
+                        ],
+                        db_index=True,
+                        help_text="Select the issue that needs to be addressed from the available options.",
+                        max_length=50,
+                    ),
+                ),
+                (
+                    "issue_detail",
+                    models.TextField(blank=True, help_text="Additional details about the issue."),
+                ),
+                (
+                    "created_at",
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        help_text="Timestamp indicating when this TODO was created.",
+                    ),
+                ),
+                (
+                    "is_resolved",
+                    models.BooleanField(
+                        db_index=True, default=False, help_text="This TODO is resolved or not."
+                    ),
+                ),
+                (
+                    "resolved_at",
+                    models.DateTimeField(
+                        blank=True,
+                        help_text="Timestamp indicating when this TODO was resolved.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "resolution_detail",
+                    models.TextField(
+                        blank=True, help_text="Additional detail on how this TODO was resolved."
+                    ),
+                ),
+                (
+                    "oldest_advisory_date",
+                    models.DateTimeField(
+                        blank=True,
+                        db_index=True,
+                        help_text="Timestamp indicating when the oldest advisory was published, used for triaging TODOs.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "is_todo_stale",
+                    models.BooleanField(
+                        db_index=True,
+                        default=False,
+                        help_text="TODOs are marked stale if associate advisory is no longer the latest version of the advisory.",
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name="ToDoRelatedAdvisoryV2",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "advisory",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="vulnerabilities.advisoryv2"
+                    ),
+                ),
+                (
+                    "todo",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="vulnerabilities.advisorytodov2",
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("todo", "advisory")},
+            },
+        ),
+        migrations.AddField(
+            model_name="advisorytodov2",
+            name="advisories",
+            field=models.ManyToManyField(
+                help_text="Advisory/ies where this TODO is applicable.",
+                related_name="advisory_todos",
+                through="vulnerabilities.ToDoRelatedAdvisoryV2",
+                to="vulnerabilities.advisoryv2",
+            ),
+        ),
+        migrations.AlterUniqueTogether(
+            name="advisorytodov2",
+            unique_together={("related_advisories_id", "issue_type")},
+        ),
+    ]

vulnerabilities/models.py

@@ -2521,9 +2521,21 @@ class Meta:
         unique_together = ("related_advisories_id", "issue_type")
 
 
+class AdvisoryToDoV2QuerySet(models.QuerySet):
+
+    def exclude_stale(self):
+        return self.exclude(is_todo_stale=True)
+
+
 class AdvisoryToDoV2(models.Model):
     """Track the TODOs for advisory/ies that need to be addressed."""
 
+    todo_id = models.UUIDField(
+        primary_key=True,
+        default=uuid.uuid4,
+        editable=False,
+    )
+
     # Since we can not make advisories field (M2M field) unique
     # (see https://code.djangoproject.com/ticket/702), we use related_advisories_id
     # to avoid creating duplicate issue for same set of advisories,
@@ -2539,6 +2551,20 @@ class AdvisoryToDoV2(models.Model):
         help_text="Advisory/ies where this TODO is applicable.",
     )
 
+    alias = models.CharField(
+        max_length=50,
+        db_index=True,
+        blank=False,
+        null=False,
+        help_text="Alias associated with TODO advisories",
+    )
+
+    advisories_count = models.IntegerField(
+        help_text="Number of advisory associated with this TODO.",
+        default=1,
+        db_index=True,
+    )
+
     issue_type = models.CharField(
         max_length=50,
         choices=ISSUE_TYPE_CHOICES,
@@ -2573,6 +2599,22 @@ class AdvisoryToDoV2(models.Model):
         help_text="Additional detail on how this TODO was resolved.",
     )
 
+    oldest_advisory_date = models.DateTimeField(
+        null=True,
+        blank=True,
+        db_index=True,
+        help_text="Timestamp indicating when the oldest advisory was published, used for triaging TODOs.",
+    )
+
+    is_todo_stale = models.BooleanField(
+        null=False,
+        db_index=True,
+        default=False,
+        help_text="TODOs are marked stale if associate advisory is no longer the latest version of the advisory.",
+    )
+
+    objects = AdvisoryToDoV2QuerySet.as_manager()
+
     class Meta:
         unique_together = ("related_advisories_id", "issue_type")
 
@@ -2958,6 +3000,12 @@ def latest_advisories_for_purl(self, purl):
         qs = self.filter(id__in=Subquery(adv_ids))
         return qs.latest_per_avid()
 
+    def todo_excluded(self):
+        """Exclude advisory ineligible for ToDo computation."""
+        from vulnerabilities.importers import TODO_EXCLUDED_PIPELINES
+
+        return self.exclude(datasource_id__in=TODO_EXCLUDED_PIPELINES)
+
 
 class AdvisorySet(models.Model):
 

vulnerabilities/pipelines/__init__.py

@@ -278,6 +278,11 @@ class VulnerableCodeBaseImporterPipelineV2(VulnerableCodePipeline):
     ignorable_versions = []
     precedence = 0
 
+    # Set this to True if computing fixed/affected package ToDo is not fruitful for this source.
+    # An example of such advisory would be pipeline dedicated to collecting issues,
+    # pull requests, commit messages, EPSS, exploits, etc.
+    exclude_from_package_todo = False
+
     # Control how often progress log is shown (range: 1–100, higher value = less frequent log)
     progress_step = 10
 

vulnerabilities/pipelines/v2_importers/__init__.py

@@ -0,0 +1,8 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#

vulnerabilities/pipelines/v2_importers/aosp_importer.py

@@ -32,6 +32,7 @@ class AospImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://github.com/quarkslab/aosp_dataset/blob/master/LICENSE"
 
     precedence = 200
+    exclude_from_package_todo = True
 
     @classmethod
     def steps(cls):

vulnerabilities/pipelines/v2_importers/epss_importer_v2.py

@@ -30,6 +30,8 @@ class EPSSImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     spdx_license_expression = "unknown"
     importer_name = "EPSS Importer"
 
+    exclude_from_package_todo = True
+
     precedence = 200
 
     def advisories_count(self):

vulnerabilities/pipelines/v2_importers/nvd_importer.py

@@ -71,6 +71,8 @@ class NVDImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
         MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
     """
 
+    exclude_from_package_todo = True
+
     precedence = 100
 
     @classmethod

vulnerabilities/pipelines/v2_importers/project_kb_msr2019_importer.py

@@ -30,6 +30,8 @@ class ProjectKBMSR2019Pipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://github.com/SAP/project-kb/blob/main/LICENSE.txt"
     repo_url = "git+https://github.com/SAP/project-kb"
 
+    exclude_from_package_todo = True
+
     precedence = 200
 
     @classmethod

vulnerabilities/pipelines/v2_importers/project_kb_statements_importer.py

@@ -37,6 +37,8 @@ class ProjectKBStatementsPipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://github.com/SAP/project-kb/blob/main/LICENSE.txt"
     repo_url = "git+https://github.com/SAP/project-kb@vulnerability-data"
 
+    exclude_from_package_todo = True
+
     precedence = 200
 
     @classmethod

vulnerabilities/pipelines/v2_importers/suse_score_importer.py

@@ -23,6 +23,8 @@ class SUSESeverityScoreImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     pipeline_id = "suse_importer_v2"
     url = "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"
 
+    exclude_from_package_todo = True
+
     @classmethod
     def steps(cls):
         return (