Store package version release date in DB

Author: abhey8

vulnerabilities/improvers/valid_versions.py

@@ -40,6 +40,8 @@
 from vulnerabilities.improver import Improver
 from vulnerabilities.improver import Inference
 from vulnerabilities.models import Advisory
+from vulnerabilities.models import Package
+from vulnerabilities.models import PackageV2
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
 from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline
 from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline
@@ -73,15 +75,45 @@ def get_package_versions(
         """
         Return a list of versions published before `until` for the `package_url`
         """
-        versions = package_versions.versions(str(package_url))
+        versions = list(package_versions.versions(str(package_url)) or [])
+        self.store_package_release_dates(package_url=package_url, versions=versions)
         versions_before_until = []
-        for version in versions or []:
+        for version in versions:
             if until and version.release_date and version.release_date > until:
                 continue
             versions_before_until.append(version.value)
 
         return versions_before_until
 
+    def store_package_release_dates(self, package_url: PackageURL, versions: List) -> None:
+        """
+        Persist release dates for known package versions in both Package and PackageV2.
+        """
+        releases_by_version = {
+            version.value: version.release_date
+            for version in versions
+            if getattr(version, "value", None) and getattr(version, "release_date", None)
+        }
+        if not releases_by_version:
+            return
+
+        filters = {
+            "type": package_url.type,
+            "namespace": package_url.namespace,
+            "name": package_url.name,
+            "version__in": list(releases_by_version),
+        }
+
+        for model in (Package, PackageV2):
+            packages_to_update = []
+            for package in model.objects.filter(**filters).only("id", "version", "release_date"):
+                release_date = releases_by_version.get(package.version)
+                if release_date and package.release_date != release_date:
+                    package.release_date = release_date
+                    packages_to_update.append(package)
+            if packages_to_update:
+                model.objects.bulk_update(packages_to_update, fields=["release_date"])
+
     def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
         """
         Yield Inferences for the given advisory data

vulnerabilities/migrations/0117_package_release_date.py

@@ -0,0 +1,39 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+from django.db import migrations
+from django.db import models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("vulnerabilities", "0116_advisoryv2_advisory_content_hash"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="package",
+            name="release_date",
+            field=models.DateTimeField(
+                blank=True,
+                db_index=True,
+                help_text="Date when this package version was released by the upstream package source.",
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="packagev2",
+            name="release_date",
+            field=models.DateTimeField(
+                blank=True,
+                db_index=True,
+                help_text="Date when this package version was released by the upstream package source.",
+                null=True,
+            ),
+        ),
+    ]

vulnerabilities/models.py

@@ -896,6 +896,13 @@ class Package(PackageURLMixin):
         db_index=True,
     )
 
+    release_date = models.DateTimeField(
+        null=True,
+        blank=True,
+        db_index=True,
+        help_text="Date when this package version was released by the upstream package source.",
+    )
+
     objects = PackageQuerySet.as_manager()
 
     class Meta:
@@ -3384,6 +3391,13 @@ class PackageV2(PackageURLMixin):
         db_index=True,
     )
 
+    release_date = models.DateTimeField(
+        null=True,
+        blank=True,
+        db_index=True,
+        help_text="Date when this package version was released by the upstream package source.",
+    )
+
     def __str__(self):
         return self.package_url
 

vulnerabilities/tests/test_valid_versions_release_date.py

@@ -0,0 +1,52 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from dataclasses import dataclass
+from datetime import datetime
+from datetime import timezone as dt_timezone
+
+import pytest
+from packageurl import PackageURL
+
+from vulnerabilities.improvers.valid_versions import DebianBasicImprover
+from vulnerabilities.models import Package
+from vulnerabilities.models import PackageV2
+
+
+@dataclass
+class MockVersion:
+    value: str
+    release_date: datetime | None
+
+
+@pytest.mark.django_db
+def test_get_package_versions_stores_release_date(monkeypatch):
+    package = Package.objects.create(type="pypi", name="demo", version="1.0.0")
+    package_v2 = PackageV2.objects.create(type="pypi", name="demo", version="1.0.0")
+
+    release_date = datetime(2024, 1, 15, tzinfo=dt_timezone.utc)
+    mock_versions = [
+        MockVersion(value="1.0.0", release_date=release_date),
+        MockVersion(value="2.0.0", release_date=None),
+    ]
+
+    monkeypatch.setattr(
+        "vulnerabilities.improvers.valid_versions.package_versions.versions",
+        lambda *_args, **_kwargs: mock_versions,
+    )
+
+    purl = PackageURL(type="pypi", name="demo")
+    versions = DebianBasicImprover().get_package_versions(package_url=purl)
+
+    assert versions == ["1.0.0", "2.0.0"]
+
+    package.refresh_from_db()
+    package_v2.refresh_from_db()
+    assert package.release_date == release_date
+    assert package_v2.release_date == release_date