Incorrect AdvisoryV2 serialization due to missing PackageCommitPatch and Patch

[keshav-space]

#2017 introduced Patch and PackageCommitPatch to AdvisoryV2, but these are not being reported when serializing AdvisoryV2 to AdvisoryData using AdvisoryV2.to_advisory_data().

• patches field is missing from AdvisoryV2.to_advisory_data().
  

  vulnerablecode/vulnerabilities/models.py

  Lines 3011 to 3023 in 0318583

  	return AdvisoryData(
  	advisory_id=self.advisory_id,
  	aliases=[item.alias for item in self.aliases.all()],
  	summary=self.summary,
  	affected_packages=[
  	impacted.to_affected_package_data() for impacted in self.impacted_packages.all()
  	],
  	references_v2=[ref.to_reference_v2_data() for ref in self.references.all()],
  	date_published=self.date_published,
  	weaknesses=[weak.cwe_id for weak in self.weaknesses.all()],
  	severities=[sev.to_vulnerability_severity_data() for sev in self.severities.all()],
  	url=self.url,
  	)

• introduced_by_commit_patches and fixed_by_commit_patches field is missing from ImpactedPackage.to_dict().
  

  vulnerablecode/vulnerabilities/models.py

  Lines 3098 to 3102 in 0318583

  	return {
  	"package": purl_to_dict(self.base_purl),
  	"affected_version_range": self.affecting_vers,
  	"fixed_version_range": self.fixed_vers,
  	}

[iGufrankhan]

Hi @keshav-space,
I’m new to the vulnerablecode codebase, so I started by reproducing this issue locally to understand the flow.

I confirmed:
1AdvisoryV2.to_advisory_data() does not include patches
2 ImpactedPackage.to_dict() does not include introduced/fixed commit patches

so i added
patches in to_advisory_data by aggregating patches through related ImpactedPackages
erialization of introduced_by_package_commit_patches and fixed_by_package_commit_patches in ImpactedPackage.to_dict()

I verified in Django shell that:
ip.to_dict() now shows commit patches
adv.to_advisory_data().patches returns them correctly

print(ip.to_dict())
{'package': {'type': 'pypi', 'namespace': '', 'name': 'testpkg', 'version': '1.0.0', 'qualifiers': '', 'subpath': ''}, 'affected_version_range': 'vers:pypi/<=1.0.0', 'fixed_version_range': 'vers:pypi/>=1.0.1', 'introduced_by_package_commit_patches': [{'commit_hash': 'abc123', 'vcs_url': 'https://github.com/demo/repo', 'patch_text': 'diff --git a/a b/b', 'patch_checksum': 'b17402e749a2049ae0fa2d1d37a1f3a62c8fa537621c7a4f072ef967b246a9fa1dda201c6014ba0ffc9a35c1f2e4f44c4bb53fd6b6fae78c26bbbcff7cf3c815'}], 'fixed_by_package_commit_patches': [{'commit_hash': 'def456', 'vcs_url': 'https://github.com/demo/repo', 'patch_text': 'diff --git a/c b/d', 'patch_checksum': 'e139b06e458a1ee04b2eb75aae50762d33c1f0a74eeccd7d99232b636f78a5fe2943f0382c4ec5ec33310dce4b9858426d55775958cab176f25ff8995ab76847'}]}

Since I’m new here, I’d appreciate feedback on whether this approach matches the project’s design expectations.
I might be missing some edge cases, so please guide me

[keshav-space]

@iGufrankhan we have patch for this here #2117