Merge branch 'main' into feat/cloudvulndb-importer

Author: Tednoob17

.github/workflows/docs.yml

@@ -5,6 +5,8 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     strategy:
       max-parallel: 4
@@ -13,10 +15,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 

.github/workflows/main.yml

@@ -2,6 +2,7 @@ name: run tests
 
 on: [push, pull_request]
 
+
 env:
   DB_NAME: vulnerablecode
   DB_USER: vulnerablecode
@@ -10,6 +11,8 @@ env:
 jobs:
   build:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     services:
       postgres:
@@ -33,10 +36,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ matrix.python-version }}
 

.github/workflows/pypi-release-aboutcode-federated.yml

@@ -10,12 +10,14 @@ jobs:
   build-and-publish:
     name: Build and publish library to PyPI
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.11
 
@@ -27,6 +29,6 @@ jobs:
 
       - name: Publish to PyPI
         if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
           password: ${{ secrets.PYPI_API_TOKEN_ABOUTCODE_FEDERATED }}

.github/workflows/pypi-release-aboutcode-hashid.yml

@@ -10,12 +10,14 @@ jobs:
   build-and-publish:
     name: Build and publish library to PyPI
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.11
 
@@ -27,12 +29,12 @@ jobs:
 
       - name: Publish to PyPI
         if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
           password: ${{ secrets.PYPI_API_TOKEN_ABOUTCODE_HASHID }}
 
       - name: Upload built archives
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pypi_archives
           path: dist/*

.github/workflows/pypi-release.yml

@@ -21,12 +21,14 @@ on:
 jobs:
   build-pypi-distribs:
     name: Build and publish library to PyPI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Set up Python
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.12
 
@@ -37,7 +39,7 @@ jobs:
         run: python -m build --sdist --wheel --outdir dist/
 
       - name: Upload built archives
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pypi_archives
           path: dist/*
@@ -47,37 +49,41 @@ jobs:
     name: Create GH release
     needs:
       - build-pypi-distribs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: pypi_archives
           path: dist
 
       - name: Create GH release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
         with:
-          draft: true
+          draft: false
+          generate_release_notes: true
           files: dist/*
 
 
   create-pypi-release:
     name: Create PyPI release
     needs:
       - create-gh-release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    environment: pypi-publish
+    permissions:
+      id-token: write
 
     steps:
       - name: Download built archives
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: pypi_archives
           path: dist
 
       - name: Publish to PyPI
-        if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@master
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
         with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          verbose: true

.github/workflows/test-import-using-nix.yml

@@ -7,12 +7,14 @@ on:
 jobs:
   nix-check-and-import:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
-      - uses: cachix/install-nix-action@v11
+      - uses: cachix/install-nix-action@95a8068e317b8def9482980abe762f36c77ccc99 # v11
         env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: true
         with:

.github/workflows/upstream_test.yml

@@ -7,13 +7,15 @@ on:
 jobs:
   unit_tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Python 3.8.11
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.8.11
 

CHANGELOG.rst

@@ -1,6 +1,51 @@
 Release notes
 =============
 
+next release
+---------------------
+
+- WARNING: Vulnerablecode V1 API and UI has stopped supporting Ubuntu OVAL advisories, please shift to V3 API for new Ubuntu advisories. 
+
+Version v38.6.0
+---------------------
+
+- fix: add missing clean_downloads step for alpine_linux v2 importer (https://github.com/aboutcode-org/vulnerablecode/pull/2282)
+- fix: fix AdvisoryDataV2 deserialization and validate version ranges correctly (https://github.com/aboutcode-org/vulnerablecode/pull/2285)
+- fix: ignore conflicts while bulk creating v2 packages (https://github.com/aboutcode-org/vulnerablecode/pull/2289)
+- fix: use shared cache backend across WSGI workers (https://github.com/aboutcode-org/vulnerablecode/pull/2290)
+- fix: delete AdvisorySet associated with malformed aliases (https://github.com/aboutcode-org/vulnerablecode/pull/2291)
+
+
+Version v38.5.0
+---------------------
+
+- fix: Make package_url field unique for PackageV2
+
+Version v38.4.0
+---------------------
+
+- fix: run pipeline scheduling jobs in respective queues (https://github.com/aboutcode-org/vulnerablecode/pull/2263)
+- feat: show queue load factors on the pipeline dashboard (https://github.com/aboutcode-org/vulnerablecode/pull/2264)
+
+Version v38.3.0
+---------------------
+
+- feat: add high priority queue and run version range unfurling pipeline more frequently (https://github.com/aboutcode-org/vulnerablecode/pull/2256)
+
+Version v38.1.0
+---------------------
+
+- Throttle UI to 15 requests per minute to avoid abuse and improve performance.
+- Handle errors in unfurl_version_range pipeline.
+- Remove Todo pipeline from v1 pipelines.
+- Add openAPI documentation for Package and Advisory viewset.
+
+Version v38.0.0
+---------------------
+
+- This is a major version, we have changed our V3 API, refer to ``api_v3_usage.rst`` for details.
+- We have started grouping advisories which have aliases or identifiers in common and also affect same set of packages together.
+
 Version v37.0.0
 ---------------------
 

Makefile

@@ -63,7 +63,7 @@ conf: virtualenv
 
 dev: virtualenv
 	@echo "-> Configure and install development dependencies"
-	@${ACTIVATE} pip install -e .[dev] -c requirements.txt
+	@${ACTIVATE} pip install -e .[dev] -c requirements-dev.txt
 
 envfile:
 	@echo "-> Create the .env file and generate a secret key"
@@ -121,11 +121,11 @@ sqlite:
 	@$(MAKE) migrate
 
 run:
-	${MANAGE} runserver 8001 --insecure
+	DJANGO_RUNSERVER_HIDE_WARNING=true ${MANAGE} runserver 8001 --insecure
 
 test:
 	@echo "-> Run the test suite"
-	${ACTIVATE} ${PYTHON_EXE} -m pytest -vvs -m "not webtest"
+	${ACTIVATE} ${PYTHON_EXE} -m pytest -vvs -m "not webtest" --disable-warnings
 
 webtest:
 	@echo "-> Run web tests"

PIPELINES-AVID.rst

@@ -55,7 +55,7 @@
    * - project-kb-statements_v2
      - Vulnerability ID of the record
    * - pypa_importer_v2
-     - ID of the OSV record
+     - {package_name}/{ID of the OSV record}
    * - pysec_importer_v2
      - ID of the OSV record
    * - redhat_importer_v2