pulpcore 3.84.0__py3-none-any.whl → 3.85.0__py3-none-any.whl

pulpcore/app/models/status.py

@@ -6,7 +6,9 @@ from datetime import timedelta
 
 from django.conf import settings
 from django.contrib.postgres.fields import HStoreField
+from django.contrib.postgres.functions import TransactionNow
 from django.db import models
+from django.db.models import F, Value
 from django.utils import timezone
 
 from pulpcore.app.models import BaseModel
@@ -47,9 +49,138 @@ class AppStatusManager(models.Manager):
         return self.filter(last_heartbeat__lt=age_threshold)
 
 
+class _AppStatusManager(AppStatusManager):
+    # This is an intermediate class in order to allow a ZDU.
+    # It should be removed from the chain with 3.87.
+    def create(self, app_type, **kwargs):
+        if app_type == "api":
+            old_obj = ApiAppStatus.objects.create(**kwargs)
+        elif app_type == "worker":
+            from pulpcore.app.models import Worker
+
+            old_obj = Worker.objects.create(**kwargs)
+        else:
+            raise NotImplementedError(f"Invalid app_type: {app_type}")
+        obj = super().create(app_type=app_type, **kwargs)
+        obj._old_status = old_obj
+        return obj
+
+    async def acreate(self, app_type, **kwargs):
+        if app_type == "content":
+            old_obj = await ContentAppStatus.objects.acreate(**kwargs)
+        else:
+            raise NotImplementedError(f"Invalid app_type: {app_type}")
+        obj = await super().acreate(app_type=app_type, **kwargs)
+        obj._old_status = old_obj
+        return obj
+
+    def online(self):
+        """
+        Returns a queryset of objects that are online.
+        """
+        return self.filter(last_heartbeat__gte=TransactionNow() - F("ttl"))
+
+    def missing(self):
+        """
+        Returns a queryset of workers that are missing.
+        """
+        return self.filter(last_heartbeat__lt=TransactionNow() - F("ttl"))
+
+    def older_than(self, age):
+        """
+        Returns a queryset of workers that are older than age.
+        """
+        return self.filter(last_heartbeat__lt=TransactionNow() - Value(age))
+
+
+class AppStatus(BaseModel):
+    APP_TYPES = [
+        ("api", "api"),
+        ("content", "content"),
+        ("worker", "worker"),
+    ]
+    _APP_TTL = {
+        "api": settings.API_APP_TTL,
+        "content": settings.CONTENT_APP_TTL,
+        "worker": settings.WORKER_TTL,
+    }
+    objects = _AppStatusManager()
+
+    app_type = models.CharField(max_length=10, choices=APP_TYPES)
+    name = models.TextField(db_index=True, unique=True)
+    versions = HStoreField(default=dict)
+    ttl = models.DurationField(null=False)
+    last_heartbeat = models.DateTimeField(auto_now=True)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.ttl = timedelta(seconds=self._APP_TTL[self.app_type])
+        self._old_status = None
+
+    def delete(self, *args, **kwargs):
+        # adelete will call into this, so we should not replicate that one here.
+        if self._old_status is not None:
+            self._old_status.delete(*args, **kwargs)
+        super().delete(*args, **kwargs)
+
+    @property
+    def online(self) -> bool:
+        """
+        To be considered 'online', an app must have a timestamp more recent than ``self.ttl``.
+        """
+        age_threshold = timezone.now() - self.ttl
+        return self.last_heartbeat >= age_threshold
+
+    @property
+    def missing(self):
+        """
+        Whether an app can be considered 'missing'
+
+        To be considered 'missing', an App must have a timestamp older than ``self.ttl``.
+
+        Returns:
+            bool: True if the app is considered missing, otherwise False
+        """
+        return not self.online
+
+    def save_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        self._old_status.save_heartbeat()
+        self.save(update_fields=["last_heartbeat"])
+
+    async def asave_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        await self._old_status.asave_heartbeat()
+        await self.asave(update_fields=["last_heartbeat"])
+
+    @property
+    def current_task(self):
+        """
+        The task this worker is currently executing, if any.
+        """
+        return self.tasks.filter(state="running").first()
+
+
 class BaseAppStatus(BaseModel):
     """
     Represents an AppStatus.
+    Deprecated, to be removed with 3.87.
 
     This class is abstract. Subclasses must define `APP_TTL` as a `timedelta`.
 
@@ -103,6 +234,18 @@ class BaseAppStatus(BaseModel):
         """
         self.save(update_fields=["last_heartbeat"])
 
+    async def asave_heartbeat(self):
+        """
+        Update the last_heartbeat field to now and save it.
+
+        Only the last_heartbeat field will be saved. No other changes will be saved.
+
+        Raises:
+            ValueError: When the model instance has never been saved before. This method can
+                only update an existing database record.
+        """
+        await self.asave(update_fields=["last_heartbeat"])
+
     class Meta:
         abstract = True
 
@@ -110,6 +253,7 @@ class BaseAppStatus(BaseModel):
 class ApiAppStatus(BaseAppStatus):
     """
     Represents a Api App Status
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.API_APP_TTL)
@@ -118,6 +262,7 @@ class ApiAppStatus(BaseAppStatus):
 class ContentAppStatus(BaseAppStatus):
     """
     Represents a Content App Status
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.CONTENT_APP_TTL)

pulpcore/app/models/task.py

@@ -33,6 +33,7 @@ _logger = logging.getLogger(__name__)
 class Worker(BaseAppStatus):
     """
     Represents a worker
+    Deprecated, to be removed with 3.87.
     """
 
     APP_TTL = timedelta(seconds=settings.WORKER_TTL)

pulpcore/app/models/vulnerability_report.py

@@ -0,0 +1,34 @@
+from django.db import models
+
+from pulpcore.app.models.base import BaseModel
+from pulpcore.app.util import get_domain_pk
+
+
+class VulnerabilityReport(BaseModel):
+    """
+    A model for storing vulnerability reports for Content/RepositoryVersion.
+
+    Fields:
+        vulns (models.JSONField): A JSON field containing the list of vulnerabilities found
+            in osv.dev.
+
+    Relations:
+        content (models.OneToOneField): The Content object that was scanned for vulnerabilities.
+        pulp_domain (models.ForeignKey): The Domain this vulnerability report belongs to,
+            providing multi-tenancy isolation.
+        repo_versions (models.ManyToManyField): The RepositoryVersion(s) where the scanned
+            Content appears. This allows tracking which repository versions contain
+            vulnerable content.
+    """
+
+    content = models.OneToOneField(
+        "Content",
+        on_delete=models.CASCADE,
+        unique=True,
+    )
+    vulns = models.JSONField()
+    pulp_domain = models.ForeignKey("Domain", default=get_domain_pk, on_delete=models.CASCADE)
+    repo_versions = models.ManyToManyField("RepositoryVersion", blank=True)
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"

pulpcore/app/serializers/__init__.py

@@ -121,6 +121,7 @@ from .user import (
     UserSerializer,
 )
 from .replica import UpstreamPulpSerializer
+from .vulnerability_report import VulnerabilityReportSerializer
 from .openpgp import (
     OpenPGPDistributionSerializer,
     OpenPGPKeyringSerializer,

pulpcore/app/serializers/content.py

@@ -5,7 +5,13 @@ from rest_framework import serializers
 from rest_framework.validators import UniqueValidator
 
 from pulpcore.app import models
-from pulpcore.app.serializers import base, fields, pulp_labels_validator, DetailRelatedField
+from pulpcore.app.serializers import (
+    base,
+    fields,
+    pulp_labels_validator,
+    DetailRelatedField,
+    RelatedField,
+)
 from pulpcore.app.util import get_domain
 
 
@@ -27,6 +33,11 @@ class NoArtifactContentSerializer(base.ModelSerializer):
         view_name_pattern=r"repositories(-.*/.*)-detail",
         queryset=models.Repository.objects.all(),
     )
+    vuln_report = RelatedField(
+        read_only=True,
+        view_name="vuln_report-detail",
+        source="core_vulnerabilityreport",
+    )
 
     def get_artifacts(self, validated_data):
         """
@@ -116,6 +127,7 @@ class NoArtifactContentSerializer(base.ModelSerializer):
         fields = base.ModelSerializer.Meta.fields + (
             "repository",
             "pulp_labels",
+            "vuln_report",
         )
 
 

pulpcore/app/serializers/repository.py

@@ -7,7 +7,7 @@ from rest_framework import fields, serializers
 from rest_framework_nested.serializers import NestedHyperlinkedModelSerializer
 
 from pulpcore.app import models, settings
-from pulpcore.app.util import get_prn
+from pulpcore.app.util import get_prn, reverse
 from pulpcore.app.serializers import (
     DetailIdentityField,
     DetailRelatedField,
@@ -490,6 +490,12 @@ class RepositoryVersionSerializer(ModelSerializer, NestedHyperlinkedModelSeriali
         source="*",
         read_only=True,
     )
+    vuln_report = serializers.SerializerMethodField(
+        read_only=True,
+    )
+
+    def get_vuln_report(self, object):
+        return f"{reverse('vuln_report-list')}?repository_version={get_prn(object)}"
 
     class Meta:
         model = models.RepositoryVersion
@@ -499,6 +505,7 @@ class RepositoryVersionSerializer(ModelSerializer, NestedHyperlinkedModelSeriali
             "repository",
             "base_version",
             "content_summary",
+            "vuln_report",
         )
 
 

pulpcore/app/serializers/vulnerability_report.py

@@ -0,0 +1,27 @@
+from rest_framework import serializers
+
+from pulpcore.app.models import VulnerabilityReport
+from pulpcore.app.serializers import (
+    DetailRelatedField,
+    IdentityField,
+    ModelSerializer,
+    RepositoryVersionRelatedField,
+)
+
+
+class VulnerabilityReportSerializer(ModelSerializer):
+    """
+    A serializer for the VulnerabilityReport Model.
+    """
+
+    vulns = serializers.JSONField()
+    pulp_href = IdentityField(view_name="vuln_report-detail")
+    content = DetailRelatedField(
+        read_only=True,
+        view_name_pattern=r"content(-.*/.*)-detail",
+    )
+    repo_versions = RepositoryVersionRelatedField(many=True, required=False)
+
+    class Meta:
+        model = VulnerabilityReport
+        fields = ModelSerializer.Meta.fields + ("vulns", "repo_versions", "content")

pulpcore/app/settings.py

@@ -12,16 +12,14 @@ import sys
 
 from contextlib import suppress
 from importlib import import_module
+from importlib.metadata import entry_points
 from logging import getLogger
 from pathlib import Path
 
 from cryptography.fernet import Fernet
-from django.core.files.storage import storages
-from django.conf import global_settings
 from django.core.exceptions import ImproperlyConfigured
 from django.db import connection
-from pulpcore.app.loggers import deprecation_logger
-from dynaconf import DjangoDynaconf, Dynaconf, Validator, get_history
+from dynaconf import DjangoDynaconf, Dynaconf, Validator
 
 from pulpcore import constants
 
@@ -33,12 +31,6 @@ try:
 except ImportError:
     pass
 
-if sys.version_info < (3, 10):
-    # Python 3.9 has a rather different interface for `entry_points`.
-    # Let's use a compatibility version.
-    from importlib_metadata import entry_points
-else:
-    from importlib.metadata import entry_points
 
 # Load settings first pass before applying all the defaults to get a grip on ENABLED_PLUGINS.
 enabled_plugins_validator = Validator(
@@ -78,16 +70,7 @@ MEDIA_ROOT = str(DEPLOY_ROOT / "media")  # Django 3.1 adds support for pathlib.P
 STATIC_URL = "/assets/"
 STATIC_ROOT = DEPLOY_ROOT / STATIC_URL.strip("/")
 
-# begin compatibility layer for DEFAULT_FILE_STORAGE
-# Remove on pulpcore=3.85 or pulpcore=4.0
-
-# - What is this?
-# We shouldn't use STORAGES or DEFAULT_FILE_STORAGE directly because those are
-# mutually exclusive by django, which constraints users to use whatever we use.
-# This is a hack/workaround to set Pulp's default while still enabling users to choose
-# the legacy or the new storage setting.
-_DEFAULT_FILE_STORAGE = "pulpcore.app.models.storage.FileSystem"
-_STORAGES = {
+STORAGES = {
     "default": {
         "BACKEND": "pulpcore.app.models.storage.FileSystem",
     },
@@ -96,10 +79,6 @@ _STORAGES = {
     },
 }
 
-setattr(global_settings, "DEFAULT_FILE_STORAGE", _DEFAULT_FILE_STORAGE)
-setattr(global_settings, "STORAGES", _STORAGES)
-# end DEFAULT_FILE_STORAGE deprecation layer
-
 REDIRECT_TO_OBJECT_STORAGE = True
 
 WORKING_DIRECTORY = DEPLOY_ROOT / "tmp"
@@ -329,6 +308,7 @@ TASK_PROTECTION_TIME = 0
 TMPFILE_PROTECTION_TIME = 0
 
 REMOTE_USER_ENVIRON_NAME = "REMOTE_USER"
+REMOTE_USER_OPENAPI_SECURITY_SCHEME = {"type": "mutualTLS"}
 
 AUTHENTICATION_JSON_HEADER = ""
 AUTHENTICATION_JSON_HEADER_JQ_FILTER = ""
@@ -348,6 +328,7 @@ CACHE_SETTINGS = {
 REMOTE_CONTENT_FETCH_FAILURE_COOLDOWN = 5 * 60  # 5 minutes
 
 SPECTACULAR_SETTINGS = {
+    "OAS_VERSION": "3.1.1",
     "SERVE_URLCONF": ROOT_URLCONF,
     "DEFAULT_GENERATOR_CLASS": "pulpcore.openapi.PulpSchemaGenerator",
     "DEFAULT_SCHEMA_CLASS": "pulpcore.openapi.PulpAutoSchema",
@@ -425,6 +406,9 @@ KAFKA_SASL_PASSWORD = None
 # opentelemetry settings
 OTEL_ENABLED = False
 
+# VulnerabilityReport settings
+VULN_REPORT_TASK_LIMITER = 10
+
 # Replaces asyncio event loop with uvloop
 UVLOOP_ENABLED = False
 
@@ -433,19 +417,17 @@ UVLOOP_ENABLED = False
 
 # Validators
 
-storage_keys = ("STORAGES.default.BACKEND", "DEFAULT_FILE_STORAGE")
 storage_validator = (
     Validator("REDIRECT_TO_OBJECT_STORAGE", eq=False)
-    | Validator(*storage_keys, eq="pulpcore.app.models.storage.FileSystem")
-    | Validator(*storage_keys, eq="storages.backends.azure_storage.AzureStorage")
-    | Validator(*storage_keys, eq="storages.backends.s3.S3Storage")
-    | Validator(*storage_keys, eq="storages.backends.s3boto3.S3Boto3Storage")
-    | Validator(*storage_keys, eq="storages.backends.gcloud.GoogleCloudStorage")
+    | Validator("STORAGES.default.BACKEND", eq="pulpcore.app.models.storage.FileSystem")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.azure_storage.AzureStorage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.s3.S3Storage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.s3boto3.S3Boto3Storage")
+    | Validator("STORAGES.default.BACKEND", eq="storages.backends.gcloud.GoogleCloudStorage")
 )
 storage_validator.messages["combined"] = (
     "'REDIRECT_TO_OBJECT_STORAGE=True' is only supported with the local file, S3, GCP or Azure "
-    "storage backend configured in STORAGES['default']['BACKEND'] "
-    "(deprecated DEFAULT_FILE_STORAGE)."
+    "storage backend configured in STORAGES['default']['BACKEND']."
 )
 
 cache_enabled_validator = Validator("CACHE_ENABLED", eq=True)
@@ -552,21 +534,6 @@ settings = DjangoDynaconf(
     post_hooks=(otel_middleware_hook,),
 )
 
-# begin compatibility layer for DEFAULT_FILE_STORAGE
-# Remove on pulpcore=3.85 or pulpcore=4.0
-using_deprecated_storage_settings = len(get_history(settings, key="DEFAULT_FILE_STORAGE")) > 1
-if using_deprecated_storage_settings:
-    deprecation_logger.warning(
-        "[deprecation] DEFAULT_FILE_STORAGE will be removed in pulpcore 3.85. "
-        "Learn how to upgrade to STORAGES:\n"
-        "https://discourse.pulpproject.org/t/"
-        "action-required-upgrade-your-storage-settings-before-pulpcore-3-85/2072/2"
-    )
-# Ensures the cached property storage.backends uses the the right value
-storages._backends = settings.STORAGES.copy()
-storages.backends
-# end compatibility layer
-
 _logger = getLogger(__name__)
 
 

pulpcore/app/tasks/__init__.py

@@ -25,3 +25,5 @@ from .replica import replicate_distributions
 from .repository import repair_all_artifacts
 
 from .analytics import post_analytics
+
+from .vulnerability_report import check_content

pulpcore/app/tasks/vulnerability_report.py

@@ -0,0 +1,159 @@
+import aiohttp
+import asyncio
+import importlib
+
+from asgiref.sync import sync_to_async
+from django.conf import settings
+
+from pulpcore.app.util import get_domain
+from pulpcore.app.models.progress import ProgressReport
+from pulpcore.app.models.vulnerability_report import VulnerabilityReport
+from pulpcore.constants import OSV_QUERY_URL, TASK_STATES
+
+
+class VulnerabilityReportScanner:
+    """
+    A scanner class to collect vulnerabilities from Pulp Contents using the OSV.dev API.
+
+    Attributes:
+        semaphore (asyncio.Semaphore): Controls concurrent API requests to osv.dev service.
+        generator (AsyncGenerator): The async generator with the content data to be scanned for
+            vulnerabilities.
+        session (aiohttp.ClientSession): HTTP session for making requests to the OSV.dev API.
+            Defaults to a new session if not provided.
+        created (ProgressReport): Tracks the number of new VulnerabilityReport records created
+            during the scanning process.
+        updated (ProgressReport): Tracks the number of existing VulnerabilityReport records
+            updated during the scanning process.
+        total_scanned (ProgressReport): Tracks the total number of content items that have
+            been processed for vulnerability scanning.
+    """
+
+    def __init__(self, semaphore, generator, session=None):
+        self.semaphore = semaphore
+        self.generator = generator
+        self.session = session or aiohttp.ClientSession()
+        self.created = ProgressReport(
+            message="Vulnerability Reports created", code="created", state=TASK_STATES.RUNNING
+        )
+        self.updated = ProgressReport(
+            message="Vulnerability Reports updated", code="updated", state=TASK_STATES.RUNNING
+        )
+        self.total_scanned = ProgressReport(
+            message="Content scanned", code="total_scanned", state=TASK_STATES.RUNNING
+        )
+
+    async def scan_packages(self):
+        """
+        Main entry point for scanning packages for vulnerabilities. Progress is tracked through
+        three ProgressReport instances (created, updated, total_scanned).
+        """
+        tasks = []
+        async for content in self.generator:
+            tasks.append(asyncio.create_task(self.scan_package(content)))
+        await asyncio.gather(*tasks)
+        await self.session.close()
+
+        if self.created.done > 0:
+            self.created.state = TASK_STATES.COMPLETED
+            await self.created.asave()
+        if self.total_scanned.done > 0:
+            self.total_scanned.state = TASK_STATES.COMPLETED
+            await self.total_scanned.asave()
+        if self.updated.done > 0:
+            self.updated.state = TASK_STATES.COMPLETED
+            await self.updated.asave()
+
+    async def scan_package(self, repo_content_osv_data):
+        """
+        Makes a request to the osv.dev API and store the results in VulnerabilityReport model.
+
+        Args:
+            repo_content_osv_data (Dict[str, Any]): A dictionary with osv.dev expected request
+              data format plus associated Pulp Content and RepoVersion.
+        """
+        vulns, content, repo_version = await self._process_reports(repo_content_osv_data)
+        await self._save_vulnerability_report(vulns, content, repo_version)
+
+    async def _process_reports(self, repo_content_osv_data):
+        """
+        Process vulnerability scanning data by querying the OSV API and extracting results.
+
+        Args:
+            repo_content_osv_data (Dict[str, Any]): A dictionary containing OSV.dev expected
+                request data format plus associated Pulp Content and RepositoryVersion.
+
+        Returns:
+            tuple:
+                - vulns (List[Dict]): List of vulnerability (vulns) returned from OSV.dev API
+                - pulp_content (Content): The Pulp Content instance that was scanned
+                - repo_version (RepositoryVersion or None): The RepositoryVersion where the
+                  Content is present
+        """
+        vulns = []
+        async with self.semaphore:
+            repo_version = repo_content_osv_data.pop("repo_version", None)
+            pulp_content = repo_content_osv_data.pop("content")
+            vulnerability_data = await self._query_osv_api(repo_content_osv_data)
+            vulns = vulnerability_data.get("vulns", [])
+            while next_page_token := vulnerability_data.get("next_page_token"):
+                repo_content_osv_data["page_token"] = next_page_token
+                vulnerability_data = await self._query_osv_api(repo_content_osv_data)
+                vulns.extend(vulnerability_data)
+        await self.total_scanned.aincrement()
+        return vulns, pulp_content, repo_version
+
+    async def _query_osv_api(self, osv_data):
+        """
+        Make a single HTTP POST request to the OSV.dev vulnerability database API.
+
+        Args:
+            osv_data (Dict[str, Any]): OSV query data dictionary containing package information
+                in the format expected by the OSV.dev API.
+
+        Returns:
+            Dict[str, Any]: JSON response from the OSV API containing vulnerability data.
+        """
+        async with self.session.post(url=OSV_QUERY_URL, json=osv_data) as response:
+            try:
+                return await response.json()
+            except aiohttp.ContentTypeError:
+                raise RuntimeError("Vuln report task failed to query osv.dev data.")
+
+    async def _save_vulnerability_report(self, vulns, content, repo_version):
+        """
+        Save vulnerability report to the database.
+
+        Args:
+            vulns (List): osv.dev vulns output
+            content (Content): A Pulp Content instance which vulnerabilities were verified
+            repo_version (RepositoryVersion): The RepositoryVersion where Content is present
+        """
+
+        vuln_report, created = await sync_to_async(VulnerabilityReport.objects.update_or_create)(
+            vulns=vulns, pulp_domain=get_domain(), content=content
+        )
+        await vuln_report.repo_versions.aadd(repo_version)
+
+        if created:
+            await self.created.aincrement()
+        else:
+            await self.updated.aincrement()
+
+
+async def check_content(func, args):
+    """
+    Spawn tasks for each async generator value to make the API requests (scan) to osv.dev.
+
+    Args:
+        func (callable | str): A Pulp plugin function that should return an async generator with
+          the osv.dev expected request data format plus associated Pulp Content and RepoVersion.
+        args (tuple): The positional arguments to pass on to the func.
+    """
+    module_name, function_name = func.rsplit(".", 1)
+    module = importlib.import_module(module_name)
+    func = getattr(module, function_name)
+
+    semaphore = asyncio.Semaphore(settings.VULN_REPORT_TASK_LIMITER)
+    vuln_report_scanner = VulnerabilityReportScanner(semaphore, func(*args))
+    await vuln_report_scanner.scan_packages()

pulpcore/app/viewsets/__init__.py

@@ -82,6 +82,7 @@ from .user import (
     UserRoleViewSet,
 )
 from .replica import UpstreamPulpViewSet
+from .vulnerability_report import VulnerabilityReportViewSet
 from .openpgp import (
     OpenPGPDistributionViewSet,
     OpenPGPKeyringViewSet,

pulpcore/app/viewsets/vulnerability_report.py

@@ -0,0 +1,20 @@
+from rest_framework.mixins import DestroyModelMixin, ListModelMixin, RetrieveModelMixin
+
+from pulpcore.app.models.vulnerability_report import VulnerabilityReport
+from pulpcore.app.serializers.vulnerability_report import VulnerabilityReportSerializer
+from pulpcore.app.viewsets.base import NamedModelViewSet
+
+
+class VulnerabilityReportViewSet(
+    NamedModelViewSet, ListModelMixin, RetrieveModelMixin, DestroyModelMixin
+):
+
+    endpoint_name = "vuln_report"
+    queryset = VulnerabilityReport.objects.prefetch_related("repo_versions").select_related(
+        "content"
+    )
+    serializer_class = VulnerabilityReportSerializer
+
+    @classmethod
+    def routable(cls):
+        return True

pulpcore/constants.py

@@ -131,3 +131,7 @@ CHECKPOINT_TS_FORMAT = "%Y%m%dT%H%M%SZ"
 # The upper boundary represents an unsigned 32-bit integer and prevents overflow
 ORPHAN_PROTECTION_TIME_LOWER_BOUND = 0
 ORPHAN_PROTECTION_TIME_UPPER_BOUND = 4294967295  # (2^32)-1
+
+# VULNERABILITY REPORT CONSTANTS
+# OSV API URL
+OSV_QUERY_URL = "https://api.osv.dev/v1/query"