Paginate UI and API for packages with large number of advisories reporting them

[TG1999]

Choice 1:

{
                "purl": "pkg:pypi/trac@0.8.4",
                "affected_by_vulnerabilities": {
"response": [{
                        "advisory_id": "pysec_importer_v2/PYSEC-2005-1",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.10"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2006-2",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.9.6"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2006-3",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.11"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2007-2",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.10.3.1"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2007-3",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.10.3.1"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2008-4",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.10.5"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2008-5",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.10.5"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2008-6",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.11.2"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2008-7",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.11.2"
                        ],
                        "duplicate_advisory_ids": []
                    },
                    {
                        "advisory_id": "pysec_importer_v2/PYSEC-2009-7",
                        "fixed_by_packages": [
                            "pkg:pypi/trac@0.11.6"
                        ],
                        "duplicate_advisory_ids": []
                    }
                ],
"next": "https://public2.vcio/api/v3/advisories?purl=pkg:pypi/trac@0.8.4&page=2"
}
                    ,
                "fixing_vulnerabilities": [],
                "next_non_vulnerable_version": "0.9.6",
                "latest_non_vulnerable_version": "0.11.6",
                "risk_score": null
            },

Choice 2:

{
                "purl": "pkg:pypi/trac@0.8.4",
                "affected_by_vulnerabilities_url":"https://public2.vcio/api/v3/affected-advisories?purl=pkg:pypi/trac@0.8.4",
                "fixing_vulnerabilities_url": "https://public2.vcio/api/v3/fixed-advisories?purl=pkg:pypi/trac@0.8.4",
                "next_non_vulnerable_version": "0.9.6",
                "latest_non_vulnerable_version": "0.11.6",
                "risk_score": null
},

{
"count": 1,
"next": null,
"previous": null,
"results" : {
 "advisories" : [
  {
                "advisory_id": "pysec_importer_v2/PYSEC-2006-2",
                "url": "https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip",
                "aliases": [
                    "CVE-2006-3695",
                    "GHSA-r524-c2gf-5chr"
                ],
                "summary": "Trac before 0.9.6 does not disable the \"raw\" or \"include\" commands when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting (XSS) attacks, or cause a denial of service via unspecified vectors. NOTE: this might be related to CVE-2006-3458.",
                "severities": [],
                "weaknesses": [],
                "references": [
                    {
                        "url": "http://secunia.com/advisories/20958",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://secunia.com/advisories/21534",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://securitytracker.com/id?1016457",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27706",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27708",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://trac.edgewall.org/wiki/ChangeLog",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://www.debian.org/security/2006/dsa-1152",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://www.securityfocus.com/bid/18323",
                        "reference_type": "",
                        "reference_id": ""
                    },
                    {
                        "url": "http://www.vupen.com/english/advisories/2006/2729",
                        "reference_type": "",
                        "reference_id": ""
                    }
                ],
                "exploitability": null,
                "weighted_severity": null,
                "risk_score": null,
                "related_ssvc_trees": []
            }
}
]
}

[Mahaboobunnisa123]

Hi @TG1999, I would like to work on this issue. Could you please assign this to me?

[TG1999]

• /api/v3/packages

  • "purls" a list of purl which will be strings (if it's empty we return list of all purls affected by an advisory, in that case details and approximate needs to be false).
  • "details" boolean (by default false, we will provide URLs for "affected_by_advisories_url" and "fixing_advisories_url" which will be a paginated endpoint of advisories (this may or may not support grouping : TBD)),
  • "approximate" boolean (if approximate is True we ignore qualifers and subpaths, if false we don't ignore, by default false). We always paginate our responses.
  • We remove everything else, bulk lookup, bulk search, lookup and all

• /api/v3/affected-by-advisories?purl=pkg:pypi/trac@0.8.4 - These will be paginated list views of advisories with their details, purl is a mandatory query argument and it can not be skipped.

• /api/v3/fixing-advisories?purl=pkg:pypi/trac@0.8.4 - These will be paginated list views of advisories with their details, purl is a mandatory query argument and it can not be skipped.

{
                "purl": "pkg:pypi/trac@0.8.4",
                "affected_by_vulnerabilities_url":"https://public2.vcio/api/v3/affected-advisories?purl=pkg:pypi/trac@0.8.4",
                "fixing_vulnerabilities_url": "https://public2.vcio/api/v3/fixed-advisories?purl=pkg:pypi/trac@0.8.4",
                "next_non_vulnerable_version": "0.9.6",
                "latest_non_vulnerable_version": "0.11.6",
                "risk_score": null
},

[pombredanne]

Here is a refinement suggestion:

• For the packages paginated endpoint, taking a POST of PURLS , when we have details, we return inlined advisory ids if we have less than a 100:

    "packages": [
      {
        "purl": "pkg:pypi/django@5.0.1",
        "next_non_vulnerable_version": "5.1.15",
        "latest_non_vulnerable_version": "6.0.3",
        "risk_score": null,
        "affected_by_vulnerabilities": [
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "fixed_by_packages": [
              "pkg:pypi/django@4.2.15",
              "pkg:pypi/django@5.0.8"
            ],
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          },
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "fixed_by_packages": [
              "pkg:pypi/django@4.2.15",
              "pkg:pypi/django@5.0.8"
            ],
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          }
        ],
        "fixing_vulnerabilities": []
      }
    ]

• For the packages endpoint, when we have details, we return inlined advisory ids if we have more than a 100 using affected_by_vulnerabilities_url, which is mutually exclusive with the affected_by_vulnerabilities` list:

    "packages": [
      {
        "purl": "pkg:pypi/django@5.0.1",
        "next_non_vulnerable_version": "5.1.15",
        "latest_non_vulnerable_version": "6.0.3",
        "risk_score": null,
        "affected_by_vulnerabilities_url": "https://foo.bar/api/v3/affected_by_vulnerabilities?purl=pkg:pypi/django@5.0.1",
        "fixing_vulnerabilities": []
      }
    ]

• ... and a new affected_by_vulnerabilities paginated endpoint GET taking a single PURL and returning the details omitted in main API call:

        "affected_by_vulnerabilities": [
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "fixed_by_packages": [
              "pkg:pypi/django@4.2.15",
              "pkg:pypi/django@5.0.8"
            ],
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          },
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "fixed_by_packages": [
              "pkg:pypi/django@4.2.15",
              "pkg:pypi/django@5.0.8"
            ],
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          }
        ]

• ... and a new fixing_vulnerabilities paginated endpoint GET taking a single PURL and returning the details omitted in main API call:

        "fixing_vulnerabilities": [
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          },
          {
            "advisory_id": "pypa_importer_v2/PYSEC-2024-69",
            "duplicate_advisory_ids": [
              "pysec_importer_v2/PYSEC-2024-69"
            ]
          }
        ]

• and pairs are mutually exclusive:
  • if fixing_vulnerabilities is present fixing_vulnerabilities_url MUST NOT be present
  • if affected_by_vulnerabilities is present affected_by_vulnerabilities_url MUST NOT be present
  • we can mix affected_by_vulnerabilities and fixing_vulnerabilities_url together and also affected_by_vulnerabilities_url and fixing_vulnerabilities

And in all cases an advisories paginated endpoint taking a POST of PURLS with:

"advisories": [
{
        "advisory_id": "pysec_importer_v2/PYSEC-2025-14",
        "url": "https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip",
        "aliases": [
          "BIT-django-2025-27556",
          "CVE-2025-27556",
          "GHSA-wqfg-m96j-85vm"
        ],
        "summary": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
        "severities": [],
        "weaknesses": [],
        "references": [
          {
            "url": "https://docs.djangoproject.com/en/dev/releases/security/",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "https://groups.google.com/g/django-announce",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/02/2",
            "reference_type": "",
            "reference_id": ""
          }
        ],
        "exploitability": null,
        "weighted_severity": null,
        "risk_score": null,
        "related_ssvc_trees": []
      },

{
        "advisory_id": "pysec_importer_v2/PYSEC-2025-14",
        "url": "https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip",
        "aliases": [
          "BIT-django-2025-27556",
          "CVE-2025-27556",
          "GHSA-wqfg-m96j-85vm"
        ],
        "summary": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.",
        "severities": [],
        "weaknesses": [],
        "references": [
          {
            "url": "https://docs.djangoproject.com/en/dev/releases/security/",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "https://groups.google.com/g/django-announce",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/",
            "reference_type": "",
            "reference_id": ""
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/04/02/2",
            "reference_type": "",
            "reference_id": ""
          }
        ],
        "exploitability": null,
        "weighted_severity": null,
        "risk_score": null,
        "related_ssvc_trees": []
      }



]

[Harsh8084]

Hi @TG1999,

I have gone through the issue and proposed API design.

My understanding:

• Implement pagination for advisories
• Add new endpoints:
  • /affected-by-advisories
  • /fixing-advisories
• Update /packages endpoint to:
  • Inline advisories if <100
  • Otherwise return paginated URLs
• Ensure mutual exclusivity between list and URL fields

Proposed approach:

1. Create paginated API views using DRF
2. Add threshold logic (100 advisories)
3. Update serializers dynamically
4. Add tests for both small and large cases

Please let me know if this aligns with expectations. I’d love to work on this.

Thanks!