Add pipeline to collect SSVC Trees

TG1999 · TG1999 · commit 0c4ebfeb79e9 · 2025-12-15T20:48:53.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/api_v2.py b/vulnerabilities/api_v2.py
@@ -146,6 +146,18 @@ class AdvisoryV2Serializer(serializers.ModelSerializer):
     references = AdvisoryReferenceSerializer(many=True)
     severities = AdvisorySeveritySerializer(many=True)
     advisory_id = serializers.CharField(source="avid", read_only=True)
+    ssvc_trees = serializers.SerializerMethodField()
+
+    def get_ssvc_trees(self, obj):
+        ssvc_trees = obj.ssvc_entries.all()
+        return [
+            {
+                "vector": ssvc.vector,
+                "decision": ssvc.decision,
+                "options": ssvc.options,
+            }
+            for ssvc in ssvc_trees
+        ]
 
     class Meta:
         model = AdvisoryV2
@@ -160,6 +172,7 @@ class Meta:
             "exploitability",
             "weighted_severity",
             "risk_score",
+            "ssvc_trees",
         ]
 
     def get_aliases(self, obj):
@@ -1033,13 +1046,13 @@ def list(self, request, *args, **kwargs):
             return self.get_paginated_response({"advisories": advisory_data, "packages": data})
 
         # If pagination is not applied, collect vulnerabilities for all packages
-        for package in queryset:
+        for package in filtered_queryset:
             advisories.update({impact.advisory for impact in package.affected_in_impacts.all()})
             advisories.update({impact.advisory for impact in package.fixed_in_impacts.all()})
 
         advisory_data = {f"{adv.avid}": AdvisoryV2Serializer(adv).data for adv in advisories}
 
-        serializer = self.get_serializer(queryset, many=True)
+        serializer = self.get_serializer(filtered_queryset, many=True)
         data = serializer.data
         return Response({"advisories": advisory_data, "packages": data})
 
diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py
@@ -19,6 +19,7 @@
 from vulnerabilities.pipelines import flag_ghost_packages
 from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
 from vulnerabilities.pipelines import remove_duplicate_advisories
+from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees
 from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
 from vulnerabilities.pipelines.v2_improvers import (
@@ -70,5 +71,6 @@
         compute_advisory_todo_v2.ComputeToDo,
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
+        collect_ssvc_trees.CollectSSVCPipeline,
     ]
 )
diff --git a/vulnerabilities/migrations/0104_ssvc.py b/vulnerabilities/migrations/0104_ssvc.py
@@ -1,4 +1,4 @@
-# Generated by Django 4.2.25 on 2025-11-26 13:31
+# Generated by Django 4.2.25 on 2025-12-15 15:15
 
 from django.db import migrations, models
 import django.db.models.deletion
@@ -35,17 +35,25 @@ class Migration(migrations.Migration):
                     models.CharField(help_text="The decision string for the SSVC.", max_length=255),
                 ),
                 (
-                    "advisory",
+                    "related_advisories",
+                    models.ManyToManyField(
+                        help_text="Advisories associated with this SSVC.",
+                        related_name="related_ssvcs",
+                        to="vulnerabilities.advisoryv2",
+                    ),
+                ),
+                (
+                    "source_advisory",
                     models.ForeignKey(
-                        help_text="The advisory associated with this SSVC.",
+                        help_text="The advisory that was used to generate this SSVC decision.",
                         on_delete=django.db.models.deletion.CASCADE,
-                        related_name="ssvc_entries",
+                        related_name="source_ssvcs",
                         to="vulnerabilities.advisoryv2",
                     ),
                 ),
             ],
             options={
-                "unique_together": {("vector", "advisory", "decision")},
+                "unique_together": {("vector", "source_advisory")},
             },
         ),
     ]
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -3419,16 +3419,21 @@ class Meta:
 class SSVC(models.Model):
     vector = models.CharField(max_length=255, help_text="The vector string representing the SSVC.")
     options = models.JSONField(help_text="A JSON object containing the SSVC options.")
-    advisory = models.ForeignKey(
+    decision = models.CharField(max_length=255, help_text="The decision string for the SSVC.")
+    related_advisories = models.ManyToManyField(
+        AdvisoryV2,
+        related_name="related_ssvcs",
+        help_text="Advisories associated with this SSVC.",
+    )
+    source_advisory = models.ForeignKey(
         AdvisoryV2,
         on_delete=models.CASCADE,
-        related_name="ssvc_entries",
-        help_text="The advisory associated with this SSVC.",
+        related_name="source_ssvcs",
+        help_text="The advisory that was used to generate this SSVC decision.",
     )
-    decision = models.CharField(max_length=255, help_text="The decision string for the SSVC.")
 
     def __str__(self):
-        return f"SSVC for Advisory {self.advisory.advisory_id}: {self.decision}"
+        return f"SSVC Decision: {self.vector} -> {self.decision}"
 
     class Meta:
-        unique_together = ("vector", "advisory", "decision")
+        unique_together = ("vector", "source_advisory")
diff --git a/vulnerabilities/pipelines/v2_improvers/collect_ssvc_trees.py b/vulnerabilities/pipelines/v2_improvers/collect_ssvc_trees.py
@@ -1,15 +1,20 @@
-import json
-import logging
-from pathlib import Path
-from typing import Iterable, List
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
 
-from fetchcode.vcs import fetch_via_vcs
+import logging
 
-from vulnerabilities.importer import AdvisoryData
-from vulnerabilities.models import SSVC, AdvisoryV2
+from django.db.models import Q
+from vulnerabilities.models import SSVC
+from vulnerabilities.models import AdvisoryV2
 from vulnerabilities.pipelines import VulnerableCodePipeline
+from vulnerabilities.pipelines.v2_importers.vulnrichment_importer import VulnrichImporterPipeline
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
-from vulnerabilities.utils import ssvc_calculator
 
 logger = logging.getLogger(__name__)
 
@@ -21,92 +26,97 @@ class CollectSSVCPipeline(VulnerableCodePipeline):
     This pipeline collects SSVC from Vulnrichment project and associates them with existing advisories.
     """
 
-    pipeline_id = "collect_ssvc"
+    pipeline_id = "collect_ssvc_tree_v2"
     spdx_license_expression = "CC0-1.0"
-    license_url = "https://github.com/cisagov/vulnrichment/blob/develop/LICENSE"
-    repo_url = "git+https://github.com/cisagov/vulnrichment.git"
 
     @classmethod
     def steps(cls):
         return (
-            cls.clone,
             cls.collect_ssvc_data,
-            cls.clean_downloads,
         )
 
-    def clone(self):
-        self.log(f"Cloning `{self.repo_url}`")
-        self.vcs_response = fetch_via_vcs(self.repo_url)
-
     def collect_ssvc_data(self):
-        self.log(self.vcs_response.dest_dir)
-        base_path = Path(self.vcs_response.dest_dir)
-        for file_path in base_path.glob("**/**/*.json"):
-            self.log(f"Processing file: {file_path}")
-            if not file_path.name.startswith("CVE-"):
-                continue
-            with open(file_path) as f:
-                raw_data = json.load(f)
-            file_name = file_path.name
-            # strip .json from file name
-            cve_id = file_name[:-5]
-            advisories = list(AdvisoryV2.objects.filter(advisory_id=cve_id))
-            if not advisories:
-                self.log(f"No advisories found for CVE ID: {cve_id}")
-                continue
-            self.parse_cve_advisory(raw_data, advisories)
-
-    def parse_cve_advisory(self, raw_data, advisories: List[AdvisoryV2]):
-        self.log(f"Processing CVE data")
-        cve_metadata = raw_data.get("cveMetadata", {})
-        cve_id = cve_metadata.get("cveId")
-
-        containers = raw_data.get("containers", {})
-        adp_data = containers.get("adp", {})
-        self.log(f"Processing ADP")
-
-        metrics = [
-            adp_metrics for data in adp_data for adp_metrics in data.get("metrics", [])
-        ]
-
-        vulnrichment_scoring_system = {
-            "other": {
-                "ssvc": SCORING_SYSTEMS["ssvc"],
-            },  # ignore kev
-        }
-
-        for metric in metrics:
-            self.log(metric)
-            self.log(f"Processing metric")
-            for metric_type, metric_value in metric.items():
-                if metric_type not in vulnrichment_scoring_system:
-                    continue
-
-                if metric_type == "other":
-                    other_types = metric_value.get("type")
-                    self.log(f"Processing SSVC")
-                    if other_types == "ssvc":
-                        content = metric_value.get("content", {})
-                        options = content.get("options", {})
-                        vector_string, decision = ssvc_calculator(content)
-                        advisories = list(AdvisoryV2.objects.filter(advisory_id=cve_id))
-                        if not advisories:
-                            continue
-                        ssvc_trees = []
-                        for advisory in advisories:
-                            obj = SSVC(
-                                advisory=advisory,
-                                options=options,
-                                decision=decision,
-                                vector=vector_string,  
-                            )
-                            ssvc_trees.append(obj)
-                        SSVC.objects.bulk_create(ssvc_trees, ignore_conflicts=True, batch_size=1000)
-
-    def clean_downloads(self):
-        if self.vcs_response:
-            self.log("Removing cloned repository")
-            self.vcs_response.delete()
-
-    def on_failure(self):
-        self.clean_downloads()
+        vulnrichment_advisories = AdvisoryV2.objects.filter(
+            datasource_id=VulnrichImporterPipeline.pipeline_id,
+        )
+        for advisory in vulnrichment_advisories:
+            severities = advisory.severities.filter(scoring_system=SCORING_SYSTEMS["ssvc"])
+            for severity in severities:
+                ssvc_vector = severity.scoring_elements
+                try:
+                    ssvc_tree, decision = convert_vector_to_tree_and_decision(ssvc_vector)
+                    self.log(f"Advisory: {advisory.advisory_id}, SSVC Tree: {ssvc_tree}, Decision: {decision}, vector: {ssvc_vector}")
+                    ssvc_obj, _ = SSVC.objects.get_or_create(
+                        source_advisory=advisory,
+                        defaults={
+                            "options": ssvc_tree,
+                            "decision": decision,
+                        },
+                    )
+                    # All advisories that have advisory.advisory_id in their aliases or advisory_id same as advisory.advisory_id
+                    related_advisories = AdvisoryV2.objects.filter(
+                        Q(advisory_id=advisory.advisory_id) |
+                        Q(aliases__alias=advisory.advisory_id)
+                    ).distinct()
+                    # remove the current advisory from related advisories
+                    related_advisories = related_advisories.exclude(id=advisory.id)
+                    ssvc_obj.related_advisories.set(related_advisories)
+                except ValueError as e:
+                    logger.error(f"Failed to parse SSVC vector '{ssvc_vector}' for advisory '{advisory}': {e}")
+
+REVERSE_POINTS = {
+    "E": ("Exploitation", {"N": "none", "P": "poc", "A": "active"}),
+    "A": ("Automatable", {"N": "no", "Y": "yes"}),
+    "T": ("Technical Impact", {"P": "partial", "T": "total"}),
+    "P": ("Mission Prevalence", {"M": "minimal", "S": "support", "E": "essential"}),
+    "B": ("Public Well-being Impact", {"M": "minimal", "A": "material", "I": "irreversible"}),
+    "M": ("Mission & Well-being", {"L": "low", "M": "medium", "H": "high"}),
+}
+
+REVERSE_DECISION = {
+    "T": "Track",
+    "R": "Track*",
+    "A": "Attend",
+    "C": "Act",
+}
+
+VECTOR_ORDER = ["E", "A", "T", "P", "B", "M"]
+
+def convert_vector_to_tree_and_decision(vector: str):
+    """
+    Convert a given SSVC vector string into a structured tree and decision.
+
+    Args:
+        vector (str): The SSVC vector string.
+
+    Returns:
+        tuple: A tuple containing the SSVC tree (dict) and decision (str).
+    """
+    if not vector.startswith("SSVCv2/"):
+        raise ValueError("Invalid SSVC vector")
+
+    parts = [p for p in vector.replace("SSVCv2/", "").split("/") if p]
+
+    options = []
+    decision = None
+
+    for part in parts:
+        if ":" not in part:
+            continue
+
+        key, value = part.split(":", 1)
+
+        if key == "D":
+            decision = REVERSE_DECISION.get(value)
+            continue
+
+        if key in REVERSE_POINTS:
+            name, mapping = REVERSE_POINTS[key]
+            options.append({name: mapping[value]})
+
+    # Preserve canonical SSVC order
+    options.sort(key=lambda o: VECTOR_ORDER.index(
+        next(k for k, _ in REVERSE_POINTS.values() if k == next(iter(o)))
+    ) if False else 0)
+
+    return options, decision

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`from vulnerabilities.pipelines import flag_ghost_packages`
`20`	`20`	`from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline`
`21`	`21`	`from vulnerabilities.pipelines import remove_duplicate_advisories`
	`22`	`+from vulnerabilities.pipelines.v2_improvers import collect_ssvc_trees`
`22`	`23`	`from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2`
`23`	`24`	`from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2`
`24`	`25`	`from vulnerabilities.pipelines.v2_improvers import (`
`@@ -70,5 +71,6 @@`
`70`	`71`	`compute_advisory_todo_v2.ComputeToDo,`
`71`	`72`	`unfurl_version_range_v2.UnfurlVersionRangePipeline,`
`72`	`73`	`compute_advisory_todo.ComputeToDo,`
	`74`	`+ collect_ssvc_trees.CollectSSVCPipeline,`
`73`	`75`	`]`
`74`	`76`	`)`