Enhance code-commit collection capabilities for VCIO.

Update the model to include Patch and PackageCommitPatch.

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/importer.py

@@ -204,6 +204,7 @@ class PackageCommitPatchData:
     vcs_url: str
     commit_hash: str
     patch_text: Optional[str] = None
+    patch_url: Optional[str] = None
 
     def __post_init__(self):
         if not self.commit_hash:
@@ -226,6 +227,7 @@ def _cmp_key(self):
             self.vcs_url,
             self.commit_hash,
             self.patch_text,
+            self.patch_url,
         )
 
     def to_dict(self) -> dict:
@@ -234,6 +236,7 @@ def to_dict(self) -> dict:
             "vcs_url": self.vcs_url,
             "commit_hash": self.commit_hash,
             "patch_text": self.patch_text,
+            "patch_url": self.patch_url,
         }
 
     @classmethod
@@ -243,6 +246,7 @@ def from_dict(cls, data: dict):
             vcs_url=data.get("vcs_url"),
             commit_hash=data.get("commit_hash"),
             patch_text=data.get("patch_text"),
+            patch_url=data.get("patch_url"),
         )
 
 
@@ -251,13 +255,22 @@ def from_dict(cls, data: dict):
 class PatchData:
     patch_url: Optional[str] = None
     patch_text: Optional[str] = None
+    patch_checksum: Optional[str] = dataclasses.field(init=False, default=None)
     vcs_url: Optional[str] = None
     commit_hash: Optional[str] = None
-    patch_checksum: Optional[str] = None
 
     def __post_init__(self):
-        if not self.vcs_url and not self.patch_text and not self.patch_url:
-            raise ValueError("A patch must include patch_url, patch_text, or vcs_url")
+        if not (self.patch_url or self.patch_text or self.vcs_url):
+            raise ValueError("A patch must include either patch_url or patch_text or vcs_url")
+
+        if self.vcs_url and not self.commit_hash:
+            raise ValueError("If vcs_url is provided, commit_hash is required")
+
+        if self.commit_hash and not self.vcs_url:
+            raise ValueError("commit_hash requires vcs_url")
+
+        if self.patch_text:
+            self.patch_checksum = hashlib.sha512(self.patch_text.encode()).hexdigest()
 
     def __lt__(self, other):
         if not isinstance(other, PatchData):
@@ -266,20 +279,21 @@ def __lt__(self, other):
 
     def _cmp_key(self):
         return (
-            self.vcs_url,
-            self.commit_hash,
+            self.patch_url,
             self.patch_text,
+            self.commit_hash,
+            self.vcs_url,
             self.patch_checksum,
         )
 
     def to_dict(self) -> dict:
         """Return a normalized dictionary representation of the commit."""
         return {
             "patch_url": self.patch_url,
-            "vcs_url": self.vcs_url,
-            "commit_hash": self.commit_hash,
             "patch_text": self.patch_text,
             "patch_checksum": self.patch_checksum,
+            "vcs_url": self.vcs_url,
+            "commit_hash": self.commit_hash,
         }
 
     @classmethod

vulnerabilities/migrations/0106_packagecommitpatch_patch_and_more.py

@@ -0,0 +1,133 @@
+# Generated by Django 4.2.25 on 2025-12-01 04:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0105_rename_codecommit_codepatch_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PackageCommitPatch",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "commit_hash",
+                    models.CharField(
+                        help_text="The commit hash of the patch in the VCS.", max_length=128
+                    ),
+                ),
+                (
+                    "vcs_url",
+                    models.URLField(
+                        help_text="The Version Control System URL (e.g., git repo URL).",
+                        max_length=1024,
+                    ),
+                ),
+                ("patch_url", models.TextField(blank=True, null=True)),
+                ("patch_text", models.TextField(blank=True, null=True)),
+                ("patch_checksum", models.CharField(blank=True, max_length=128, null=True)),
+            ],
+            options={
+                "unique_together": {("commit_hash", "vcs_url")},
+            },
+        ),
+        migrations.CreateModel(
+            name="Patch",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "commit_hash",
+                    models.CharField(
+                        blank=True,
+                        help_text="The commit hash of the patch in the VCS.",
+                        max_length=128,
+                        null=True,
+                    ),
+                ),
+                (
+                    "vcs_url",
+                    models.URLField(
+                        blank=True,
+                        help_text="The Version Control System URL (e.g., git repo URL).",
+                        max_length=1024,
+                        null=True,
+                    ),
+                ),
+                (
+                    "patch_url",
+                    models.URLField(
+                        blank=True, help_text="URL to the patch file or diff.", null=True
+                    ),
+                ),
+                (
+                    "patch_text",
+                    models.TextField(
+                        blank=True,
+                        help_text="The actual text content of the code patch/diff.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "patch_checksum",
+                    models.CharField(
+                        help_text="SHA512 checksum of the patch content.", max_length=128
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("patch_checksum", "patch_url")},
+            },
+        ),
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="fixed_by_commits",
+        ),
+        migrations.RemoveField(
+            model_name="impactedpackage",
+            name="introduced_by_commits",
+        ),
+        migrations.DeleteModel(
+            name="CodePatch",
+        ),
+        migrations.AddField(
+            model_name="advisoryv2",
+            name="patches",
+            field=models.ManyToManyField(
+                help_text="A list of patches associated with this advisory.",
+                related_name="advisories",
+                to="vulnerabilities.patch",
+            ),
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="fixed_by_package_commit_patches",
+            field=models.ManyToManyField(
+                help_text="PackageCommitPatches that fix this impact.",
+                related_name="fixed_in_impacts",
+                to="vulnerabilities.packagecommitpatch",
+            ),
+        ),
+        migrations.AddField(
+            model_name="impactedpackage",
+            name="introduced_by_package_commit_patches",
+            field=models.ManyToManyField(
+                help_text="PackageCommitPatches that introduce this impact.",
+                related_name="introduced_in_impacts",
+                to="vulnerabilities.packagecommitpatch",
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -2751,6 +2751,20 @@ class Patch(models.Model):
     Used for raw text patches, fallback scenarios, or unsupported VCS types.
     """
 
+    commit_hash = models.CharField(
+        max_length=128,
+        blank=True,
+        null=True,
+        help_text="The commit hash of the patch in the VCS.",
+    )
+
+    vcs_url = models.URLField(
+        max_length=1024,
+        blank=True,
+        null=True,
+        help_text="The Version Control System URL (e.g., git repo URL).",
+    )
+
     patch_url = models.URLField(
         null=True,
         blank=True,
@@ -2790,14 +2804,13 @@ class PackageCommitPatch(models.Model):
         help_text="The Version Control System URL (e.g., git repo URL).",
     )
 
+    patch_url = models.TextField(blank=True, null=True)
     patch_text = models.TextField(blank=True, null=True)
     patch_checksum = models.CharField(max_length=128, blank=True, null=True)
 
     def save(self, *args, **kwargs):
         if self.patch_text:
-            self.patch_checksum = hashlib.sha512(
-                self.patch_text.encode("utf-8")
-            ).hexdigest()
+            self.patch_checksum = hashlib.sha512(self.patch_text.encode("utf-8")).hexdigest()
         super().save(*args, **kwargs)
 
     class Meta:

vulnerabilities/pipes/advisory.py

@@ -127,6 +127,7 @@ def get_or_create_advisory_package_commit_patches(
             commit_hash=c.commit_hash,
             vcs_url=c.vcs_url,
             patch_text=getattr(c, "patch_text", None),
+            patch_url=getattr(c, "patch_url", None),
         )
         for c in commit_patches_data
         if (c.commit_hash, c.vcs_url) not in existing_pairs
@@ -158,6 +159,8 @@ def get_or_create_advisory_patches(
         Patch(
             patch_url=getattr(c, "patch_url", None),
             patch_text=getattr(c, "patch_checksum", None),
+            commit_hash=getattr(c, "commit_hash", None),
+            vcs_url=getattr(c, "vcs_url", None),
         )
         for c in base_patches_data
         if (c.patch_url, c.patch_checksum) not in existing_pairs
@@ -174,38 +177,48 @@ def get_or_create_advisory_patches(
 
 
 def classify_patch_source(vcs_url, commit_hash, patch_text, patch_url):
-    """"""
+    """Classify a patch as a supported VCS commit or generic data using provided args."""
+    purl = None
+
+    if patch_url:
+        purl = url2purl(patch_url)
+
+    if not purl or (purl.type not in VCS_URLS_SUPPORTED_TYPES) or (not purl.version and vcs_url):
+        purl = url2purl(vcs_url)
+
+    if not purl:
+        return None, PatchData(
+            patch_text=patch_text,
+            patch_url=patch_url,
+        )
 
-    purl = url2purl(patch_url)
     base_purl = get_core_purl(purl)
     purl_string = base_purl.to_string()
+
     vcs_url_p = get_repo_url(purl_string)
-    commit_hash_p = purl.version if purl else None
+    commit_hash_p = purl.version
 
     final_vcs_url = vcs_url or vcs_url_p
     final_commit_hash = commit_hash or commit_hash_p
 
-    if not final_vcs_url:
+    if not final_vcs_url or not final_commit_hash:
         return None, PatchData(
-            patch_text=patch_text,
             patch_url=patch_url,
+            patch_text=patch_text,
         )
 
-    if (
-        purl
-        and purl.type in VCS_URLS_SUPPORTED_TYPES
-        and final_vcs_url
-        and final_commit_hash
-        and is_commit(final_commit_hash)
-    ):
+    if purl.type in VCS_URLS_SUPPORTED_TYPES and final_commit_hash and is_commit(final_commit_hash):
         return base_purl, PackageCommitPatchData(
-            vcs_url=final_vcs_url, commit_hash=final_commit_hash, patch_text=patch_text
+            vcs_url=final_vcs_url,
+            commit_hash=final_commit_hash,
+            patch_url=patch_url,
+            patch_text=patch_text,
         )
 
     return None, PatchData(
-        patch_url=patch_url,
         vcs_url=final_vcs_url,
         commit_hash=final_commit_hash,
+        patch_url=patch_url,
         patch_text=patch_text,
     )
 

vulnerabilities/tests/pipes/test_vulnerablecode_importer_pipeline_v2.py

@@ -87,8 +87,6 @@ def dummy_advisory():
         ],
         patches=[
             PatchData(
-                vcs_url="",
-                commit_hash="",
                 patch_text="patch_text",
                 patch_url="example.com/1.patch",
             )

vulnerabilities/tests/test_data/aosp/CVE-aosp_test3-expected.json

@@ -20,7 +20,8 @@
           {
             "vcs_url": "https://github.com/torvalds/linux",
             "commit_hash": "0048b4837affd153897ed1222283492070027aa9",
-            "patch_text": null
+            "patch_text": null,
+            "patch_url": "https://github.com/torvalds/linux/commit/0048b4837affd153897ed1222283492070027aa9"
           }
         ]
       }