python-ort 0.5.0__tar.gz → 0.6.0__tar.gz

{python_ort-0.5.0 → python_ort-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-ort
-Version: 0.5.0
+Version: 0.6.0
 Summary: A Python Ort model serialization library
 License-Expression: MIT
 License-File: LICENSE

{python_ort-0.5.0 → python_ort-0.6.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "uv_build"
 
 [project]
 name = "python-ort"
-version = "0.5.0"
+version = "0.6.0"
 description = "A Python Ort model serialization library"
 readme = "README.md"
 license = "MIT"
@@ -31,13 +31,11 @@ module-root = "src"
 
 [dependency-groups]
 dev = [
-    "datamodel-code-generator[http]>=0.53.0",
-    "pre-commit>=4.5.1",
-    "pycodestyle>=2.14.0",
-    "pyrefly>=0.49.0",
+    "datamodel-code-generator[http]>=0.54.0",
     "pytest>=9.0.2",
-    "rich>=14.2.0",
-    "ruff>=0.14.14",
+    "rich>=14.3.2",
+    "ruff>=0.15.1",
+    "ty>=0.0.17",
     "types-pyyaml>=6.0.12.20250915",
 ]
 

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/__init__.py

@@ -4,10 +4,10 @@
 
 from ort.models.analyzer_result import AnalyzerResult
 from ort.models.ort_result import OrtResult
-from ort.models.repository_configuration import OrtRepositoryConfiguration
+from ort.models.repository_configuration import RepositoryConfiguration
 
 __all__ = [
     "AnalyzerResult",
-    "OrtRepositoryConfiguration",
+    "RepositoryConfiguration",
     "OrtResult",
 ]

python_ort-0.6.0/src/ort/models/__init__.py

@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from .advisor_capability import AdvisorCapability
+from .advisor_result import AdvisorResult
+from .advisor_run import AdvisorRun
+from .analyzer_result import AnalyzerResult
+from .analyzer_run import AnalyzerRun
+from .dependency_graph import DependencyGraph
+from .dependency_graph_edge import DependencyGraphEdge
+from .dependency_graph_node import DependencyGraphNode
+from .dependency_reference import DependencyReference
+from .hash import Hash
+from .hash_algorithm import HashAlgorithm
+from .identifier import Identifier
+from .issue import Issue
+from .ort_result import OrtResult
+from .package import Package
+from .package_curation import PackageCuration
+from .package_curation_data import PackageCurationData
+from .package_linkage import PackageLinkage
+from .package_reference import PackageReference
+from .project import Project
+from .remote_artifact import RemoteArtifact
+from .repository import Repository
+from .repository_configuration import RepositoryConfiguration
+from .root_dependency_index import RootDependencyIndex
+from .scope import Scope
+from .source_code_origin import SourceCodeOrigin
+from .vcsinfo import VcsInfo
+from .vcsinfo_curation_data import VcsInfoCurationData
+from .vcstype import VcsType
+
+__all__ = [
+    "AdvisorCapability",
+    "AdvisorResult",
+    "AdvisorRun",
+    "AnalyzerResult",
+    "AnalyzerRun",
+    "DependencyGraph",
+    "DependencyGraphEdge",
+    "DependencyGraphNode",
+    "DependencyReference",
+    "Hash",
+    "HashAlgorithm",
+    "Identifier",
+    "Issue",
+    "OrtResult",
+    "Package",
+    "PackageCuration",
+    "PackageCurationData",
+    "PackageLinkage",
+    "PackageReference",
+    "Project",
+    "RemoteArtifact",
+    "Repository",
+    "RepositoryConfiguration",
+    "RootDependencyIndex",
+    "Scope",
+    "SourceCodeOrigin",
+    "VcsInfo",
+    "VcsInfoCurationData",
+    "VcsType",
+]

python_ort-0.6.0/src/ort/models/advisor_capability.py

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from enum import IntEnum
+
+
+class AdvisorCapability(IntEnum):
+    """
+    An enum class that defines the capabilities of a specific advisor implementation.
+
+    There are multiple types of findings that can be retrieved by an advisor, such as security vulnerabilities or
+    defects. An [AdvisorResult] has different fields for the different findings types. This enum corresponds to these
+    fields. It allows an advisor implementation to declare, which of these fields it can populate. This information is
+    of interest, for instance, when generating reports for specific findings to determine, which advisor may have
+    contributed.
+
+    """
+
+    DEFECTS = 1
+    VULNERABILITIES = 2

python_ort-0.6.0/src/ort/models/advisor_details.py

@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from ort.models import AdvisorCapability
+
+
+class AdvisorDetails(BaseModel):
+    """
+    Details about the used provider of vulnerability information.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    name: str = Field(description="The name of the used advisor.")
+    capabilities: set[AdvisorCapability] = Field(
+        description="The capabilities of the used advisor. This property indicates, which kind of findings"
+        "are retrieved by the advisor."
+    )
+
+    @field_validator("capabilities", mode="before")
+    @classmethod
+    def convert_capability(cls, v):
+        def _convert(item):
+            if isinstance(item, str):
+                try:
+                    return AdvisorCapability[item]
+                except KeyError:
+                    raise ValueError(f"Invalid capability: {item}")
+            return item
+
+        if isinstance(v, (list, set)):
+            return {_convert(item) for item in v}
+        if isinstance(v, str):
+            return _convert(v)
+        return v

python_ort-0.6.0/src/ort/models/advisor_result.py

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.vulnerabilities import Vulnerability
+
+from .advisor_details import AdvisorDetails
+from .advisor_summary import AdvisorSummary
+from .defect import Defect
+
+
+class AdvisorResult(BaseModel):
+    """
+    The result of a specific advisor execution for a single package.
+
+    Different advisor implementations may produce findings of different types. To reflect this, this class has multiple
+    fields for findings of these types. It is up to a concrete advisor, which of these fields it populates.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    advisor: AdvisorDetails = Field(
+        description="Details about the used advisor.",
+    )
+
+    summary: AdvisorSummary = Field(
+        description="A summary of the advisor results.",
+    )
+
+    defects: list[Defect] = Field(
+        default_factory=list,
+        description="The defects.",
+    )
+
+    vulnerabilities: list[Vulnerability] = Field(
+        default_factory=list,
+        description="The vulnerabilities.",
+    )

python_ort-0.6.0/src/ort/models/advisor_run.py

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models import AdvisorResult
+from ort.models.config.advisor_configuration import AdvisorConfiguration
+from ort.utils.environment import Environment
+
+from .identifier import Identifier
+
+
+class AdvisorRun(BaseModel):
+    """
+    Type alias for a function that allows filtering of [AdvisorResult]s.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    start_time: datetime = Field(
+        description="The time the advisor was started.",
+    )
+    end_time: datetime = Field(
+        description="The time the advisor has finished.",
+    )
+    environment: Environment = Field(
+        description="The [Environment] in which the advisor was executed.",
+    )
+    config: AdvisorConfiguration = Field(
+        description="The [AdvisorConfiguration] used for this run.",
+    )
+    results: dict[Identifier, list[AdvisorResult]] = Field(
+        default_factory=dict,
+        description="The result of this run.",
+    )

python_ort-0.6.0/src/ort/models/advisor_summary.py

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from .issue import Issue
+
+
+class AdvisorSummary(BaseModel):
+    """
+    A short summary of the advisor result.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    start_time: datetime = Field(
+        description="The time the advisor started.",
+    )
+    end_time: datetime = Field(
+        description="The time the advisor finished.",
+    )
+    issues: list[Issue] = Field(
+        default_factory=list,
+        description="The list of issues that occurred during the advisor run."
+        "This property is not serialized if the list is empty to reduce the size of the result file.",
+    )
+
+    @field_validator("start_time", "end_time", mode="before")
+    @classmethod
+    def transform_date(cls, v):
+        if isinstance(v, str):
+            return datetime.fromisoformat(v.replace("Z", "+00:00"))
+        return v

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/analyzer_result.py

@@ -4,11 +4,11 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.dependency_graph import DependencyGraph
-from ort.models.identifier import Identifier
-from ort.models.issue import Issue
-from ort.models.package import Package
-from ort.models.project import Project
+from .dependency_graph import DependencyGraph
+from .identifier import Identifier
+from .issue import Issue
+from .package import Package
+from .project import Project
 
 
 class AnalyzerResult(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/analyzer_run.py

@@ -5,7 +5,7 @@ from datetime import datetime
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.analyzer_result import AnalyzerResult
+from ort.models import AnalyzerResult
 from ort.models.config.analyzer_configuration import AnalyzerConfiguration
 from ort.utils.environment import Environment
 

python_ort-0.6.0/src/ort/models/config/advisor_configuration.py

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from typing import Any
+
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class AdvisorConfiguration(BaseModel):
+    """
+    The configuration model of the advisor. This class is (de-)serialized in the following places:
+    - Deserialized from "config.yml" as part of [OrtConfiguration].
+    - (De-)Serialized as part of [org.ossreviewtoolkit.model.OrtResult].
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    skip_excluded: bool = Field(
+        default=False,
+        description="A flag to control whether excluded scopes and paths should be skipped when giving the advice.",
+    )
+    advisors: dict[str, Any] | None = Field(
+        default=None,
+        description="A map with [configuration][PluginConfig] for advice providers using the"
+        "[plugin id][PluginDescriptor.id] as key.",
+    )

python_ort-0.6.0/src/ort/models/defect.py

@@ -0,0 +1,87 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import AnyUrl, BaseModel, ConfigDict, Field
+
+
+class Defect(BaseModel):
+    """
+    A data model for software defects.
+
+    Instances of this class are created by advisor implementations that retrieve information about
+    known defects in packages.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    id: str = Field(
+        description="The (external) ID of this defect. This is a string used by a concrete issue tracker"
+        "system to reference this defect, such as a bug ID or ticket number.",
+    )
+
+    url: AnyUrl = Field(
+        description="The URL pointing to the source of this defect. This is typically a reference into "
+        "the issue tracker system that contains this defect.",
+    )
+    title: str | None = Field(
+        default=None,
+        description="A title for this defect if available. This is a short summary describing the problem at hand.",
+    )
+    state: str | None = Field(
+        default=None,
+        description="A state of the associated defect if available. The concrete meaning of this string depends"
+        "on the source from where it was obtained, as different issue tracker systems use their specific "
+        "terminology. Possible values could be OPEN, IN PROGRESS, BLOCKED, etc.",
+    )
+    severity: str | None = Field(
+        default=None,
+        description="The severity assigned to the defect if available. The meaning of this string depends"
+        "on the source system.",
+    )
+    description: str | None = Field(
+        default=None,
+        description="An optional description of this defect. It can contain more detailed information about"
+        "the defect and its impact. The field may be undefined if the url of this defect already points to"
+        "a website with all this information.",
+    )
+    creation_time: datetime | None = Field(
+        default=None,
+        description="The creation time of this defect if available.",
+    )
+    modification_time: datetime | None = Field(
+        default=None,
+        description="Contains a time when this defect has been modified the last time in the tracker system"
+        "it has been obtained from. This information can be useful for instance to find out how up-to-date"
+        "this defect report might be.",
+    )
+    closing_time: datetime | None = Field(
+        default=None,
+        description="Contains a time when this defect has been closed if it has been resolved already"
+        "(and this information is available in the source system). For users of the component affected"
+        "by this defect, this information can be of interest to find out whether a fix is available,"
+        "maybe in a newer version.",
+    )
+    fix_release_version: str | None = Field(
+        default=None,
+        description="Contains the version of the release, in which this defect was fixed if available."
+        "This is important information for consumers of the component affected by the defect, so they"
+        "can upgrade to this version.",
+    )
+    fix_release_url: AnyUrl | None = Field(
+        default=None,
+        description="A URL pointing to the release, in which this defect was fixed if available."
+        "Depending on the information provided by a source, this URL could point to a website with detail"
+        "information about the release, to release notes, or something like that. This information is"
+        "important for consumers of the component affected by this defect, so they can upgrade to this release.",
+    )
+    labels: dict[str, str] = Field(
+        default_factory=dict,
+        description="A map with labels assigned to this defect. Labels provide a means frequently used by issue"
+        "tracker systems to classify defects based on defined criteria. The exact meaning of these labels is"
+        "depending on the source system.",
+    )

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/dependency_graph.py

@@ -4,11 +4,11 @@
 
 from pydantic import BaseModel, ConfigDict, Field, field_validator
 
-from ort.models.dependency_graph_edge import DependencyGraphEdge
-from ort.models.dependency_graph_node import DependencyGraphNode
-from ort.models.dependency_reference import DependencyReference
-from ort.models.identifier import Identifier
-from ort.models.root_dependency_index import RootDependencyIndex
+from .dependency_graph_edge import DependencyGraphEdge
+from .dependency_graph_node import DependencyGraphNode
+from .dependency_reference import DependencyReference
+from .identifier import Identifier
+from .root_dependency_index import RootDependencyIndex
 
 
 class DependencyGraph(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/dependency_graph_node.py

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: MIT
 
 
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict, Field, field_validator
 
-from ort.models.issue import Issue
-from ort.models.package_linkage import PackageLinkage
+from .issue import Issue
+from .package_linkage import PackageLinkage
 
 
 class DependencyGraphNode(BaseModel):
@@ -42,3 +42,13 @@ class DependencyGraphNode(BaseModel):
     issues: list[Issue] = Field(
         default_factory=list, description="A list of Issue objects that occurred handling this dependency."
     )
+
+    @field_validator("linkage", mode="before")
+    @classmethod
+    def convert_linkage(cls, v):
+        if isinstance(v, str):
+            try:
+                return PackageLinkage[v]
+            except KeyError:
+                raise ValueError(f"Invalid linkage: {v}")
+        return v

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/dependency_reference.py

@@ -4,8 +4,8 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.issue import Issue
-from ort.models.package_linkage import PackageLinkage
+from .issue import Issue
+from .package_linkage import PackageLinkage
 
 
 class DependencyReference(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/hash.py

@@ -3,7 +3,7 @@
 
 from pydantic import BaseModel, Field
 
-from ort.models.hash_algorithm import HashAlgorithm
+from .hash_algorithm import HashAlgorithm
 
 
 class Hash(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/ort_result.py

@@ -4,8 +4,9 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.analyzer_run import AnalyzerRun
-from ort.models.repository import Repository
+from .advisor_run import AdvisorRun
+from .analyzer_run import AnalyzerRun
+from .repository import Repository
 
 
 class OrtResult(BaseModel):
@@ -30,3 +31,14 @@ class OrtResult(BaseModel):
         description="An [AnalyzerRun] containing details about the analyzer that was run using [repository]"
         "as input. Can be null if the [repository] was not yet analyzed."
     )
+    advisor: AdvisorRun | None = Field(
+        default=None,
+        description="An [AdvisorRun] containing details about the advisor that was run using the result from"
+        "[analyzer] as input. Can be null if no advisor was run.",
+    )
+    labels: dict[str, str] = Field(
+        default_factory=dict,
+        description="User defined labels associated to this result. Labels are not used by ORT itself, "
+        "but can be used in parts of ORT which are customizable by the user, for example in evaluator"
+        "rules or in the notice reporter.",
+    )

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/package.py

@@ -4,12 +4,13 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.identifier import Identifier
-from ort.models.remote_artifact import RemoteArtifact
-from ort.models.source_code_origin import SourceCodeOrigin
-from ort.models.vcsinfo import VcsInfo
 from ort.utils.processed_declared_license import ProcessedDeclaredLicense
 
+from .identifier import Identifier
+from .remote_artifact import RemoteArtifact
+from .source_code_origin import SourceCodeOrigin
+from .vcsinfo import VcsInfo
+
 
 class Package(BaseModel):
     """

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/package_curation_data.py

@@ -3,18 +3,13 @@
 
 from typing import Any
 
-from pydantic import AnyUrl, BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict, Field
 
-from .hash import Hash
+from .remote_artifact import RemoteArtifact
 from .source_code_origin import SourceCodeOrigin
 from .vcsinfo_curation_data import VcsInfoCurationData
 
 
-class CurationArtifact(BaseModel):
-    url: AnyUrl
-    hash: Hash
-
-
 class PackageCurationData(BaseModel):
     """
     Data model for package curation data.
@@ -47,8 +42,8 @@ class PackageCurationData(BaseModel):
     concluded_license: str | None = None
     description: str | None = None
     homepage_url: str | None = None
-    binary_artifact: CurationArtifact | None = None
-    source_artifact: CurationArtifact | None = None
+    binary_artifact: RemoteArtifact | None = None
+    source_artifact: RemoteArtifact | None = None
     vcs: VcsInfoCurationData | None = None
     is_metadata_only: bool | None = None
     is_modified: bool | None = None

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/package_linkage.py

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: MIT
 
 
-from enum import Enum, auto
+from enum import IntEnum
 
 
-class PackageLinkage(Enum):
+class PackageLinkage(IntEnum):
     """
     A class to denote the linkage type between two packages.
 
@@ -27,7 +27,7 @@ class PackageLinkage(Enum):
             e.g. a subproject of a multi-project.
     """
 
-    DYNAMIC = auto()
-    STATIC = auto()
-    PROJECT_DYNAMIC = auto()
-    PROJECT_STATIC = auto()
+    DYNAMIC = 1
+    STATIC = 2
+    PROJECT_DYNAMIC = 3
+    PROJECT_STATIC = 4

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/package_reference.py

@@ -4,8 +4,8 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.issue import Issue
-from ort.models.package_linkage import PackageLinkage
+from .issue import Issue
+from .package_linkage import PackageLinkage
 
 
 class PackageReference(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/project.py

@@ -4,11 +4,12 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.identifier import Identifier
-from ort.models.scope import Scope
-from ort.models.vcsinfo import VcsInfo
 from ort.utils.processed_declared_license import ProcessedDeclaredLicense
 
+from .identifier import Identifier
+from .scope import Scope
+from .vcsinfo import VcsInfo
+
 
 class Project(BaseModel):
     """

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/remote_artifact.py

@@ -4,7 +4,7 @@
 
 from pydantic import BaseModel, Field
 
-from ort.models.hash import Hash
+from .hash import Hash
 
 
 class RemoteArtifact(BaseModel):
@@ -13,8 +13,10 @@ class RemoteArtifact(BaseModel):
     """
 
     url: str = Field(
+        default_factory=str,
         description="The URL of the remote artifact.",
     )
-    hash: Hash = Field(
+    hash: Hash | None = Field(
+        default=None,
         description="The hash of the remote artifact.",
     )

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/repository.py

@@ -4,8 +4,8 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.repository_configuration import OrtRepositoryConfiguration
-from ort.models.vcsinfo import VcsInfo
+from .repository_configuration import RepositoryConfiguration
+from .vcsinfo import VcsInfo
 
 
 class Repository(BaseModel):
@@ -37,6 +37,6 @@ class Repository(BaseModel):
         description="A map of nested repositories, for example Git submodules or Git-Repo"
         "modules. The key is the path to the nested repository relative to the root of the main repository.",
     )
-    config: OrtRepositoryConfiguration = Field(
+    config: RepositoryConfiguration = Field(
         description="The configuration of the repository, parsed from [ORT_REPO_CONFIG_FILENAME]."
     )

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/repository_configuration.py

@@ -260,7 +260,7 @@ class OrtRepositoryConfigurationCurations1(BaseModel):
     packages: Curations
 
 
-class OrtRepositoryConfiguration(BaseModel):
+class RepositoryConfiguration(BaseModel):
     """
     Represents the configuration for an OSS-Review-Toolkit (ORT) repository.
 

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/scope.py

@@ -4,7 +4,7 @@
 
 from pydantic import BaseModel, ConfigDict, Field
 
-from ort.models.package_reference import PackageReference
+from .package_reference import PackageReference
 
 
 class Scope(BaseModel):

{python_ort-0.5.0 → python_ort-0.6.0}/src/ort/models/vcsinfo.py

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
 # SPDX-License-Identifier: MIT
 
-from pydantic import AnyUrl, BaseModel, Field
+from pydantic import BaseModel, Field
 
 from .vcstype import VcsType
 
@@ -22,7 +22,8 @@ class VcsInfo(BaseModel):
         default_factory=VcsType,
         description="The type of the VCS, for example Git, GitRepo, Mercurial, etc.",
     )
-    url: AnyUrl = Field(
+    url: str = Field(
+        default_factory=str,
         description="The URL to the VCS repository.",
     )
 

python_ort-0.6.0/src/ort/models/vulnerabilities/__init__.py

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from .vulnerability import Vulnerability
+
+__all__ = [
+    "Vulnerability",
+]

python_ort-0.6.0/src/ort/models/vulnerabilities/cvss2_rating.py

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from enum import Enum
+
+
+class Cvss2Rating(Enum):
+    """
+    A CVSS version 2 rating, see https://nvd.nist.gov/vuln-metrics/cvss.
+    """
+
+    LOW = 4.0
+    MEDIUM = 7.0
+    HIGH = 10.0
+
+    def __init__(self, upper_bound: float):
+        self._upper_bound = upper_bound
+
+    @classmethod
+    def prefixes(cls) -> set[str]:
+        """A set of prefixes that refer to the CVSS version 2 scoring system."""
+        return {"CVSS2", "CVSSV2", "CVSS_V2", "CVSS:2"}
+
+    @classmethod
+    def from_score(cls, score: float) -> "Cvss2Rating | None":
+        """Get the Cvss2Rating from a score, or None if the score does not map to any Cvss2Rating."""
+        if score < 0.0 or score > cls.HIGH.upper_bound:
+            return None
+        if score < cls.LOW.upper_bound:
+            return cls.LOW
+        if score < cls.MEDIUM.upper_bound:
+            return cls.MEDIUM
+        if score <= cls.HIGH.upper_bound:
+            return cls.HIGH
+        return None
+
+    @property
+    def upper_bound(self) -> float:
+        return self._upper_bound

python_ort-0.6.0/src/ort/models/vulnerabilities/cvss3_rating.py

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from enum import Enum
+
+
+class Cvss3Rating(Enum):
+    """
+    A CVSS version 3 rating as defined by https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale.
+    """
+
+    NONE = 0.0
+    LOW = 4.0
+    MEDIUM = 7.0
+    HIGH = 9.0
+    CRITICAL = 10.0
+
+    def __init__(self, upper_bound: float):
+        self._upper_bound = upper_bound
+
+    @classmethod
+    def prefixes(cls) -> set[str]:
+        """A set of prefixes that refer to the CVSS version 3 scoring system."""
+        return {"CVSS3", "CVSSV3", "CVSS_V3", "CVSS:3"}
+
+    @classmethod
+    def from_score(cls, score: float) -> "Cvss3Rating | None":
+        """Get the Cvss3Rating from a score, or None if the score does not map to any Cvss3Rating."""
+        if score < 0.0 or score > cls.CRITICAL.upper_bound:
+            return None
+        if score < cls.NONE.upper_bound:
+            return cls.NONE
+        if score < cls.LOW.upper_bound:
+            return cls.LOW
+        if score < cls.MEDIUM.upper_bound:
+            return cls.MEDIUM
+        if score < cls.HIGH.upper_bound:
+            return cls.HIGH
+        if score <= cls.CRITICAL.upper_bound:
+            return cls.CRITICAL
+        return None
+
+    @property
+    def upper_bound(self) -> float:
+        return self._upper_bound

python_ort-0.6.0/src/ort/models/vulnerabilities/cvss4_rating.py

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from enum import Enum
+
+
+class Cvss4Rating(Enum):
+    """
+    A CVSS version 4 rating as defined by https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale.
+    """
+
+    NONE = 0.0
+    LOW = 4.0
+    MEDIUM = 7.0
+    HIGH = 9.0
+    CRITICAL = 10.0
+
+    def __init__(self, upper_bound: float):
+        self._upper_bound = upper_bound
+
+    @classmethod
+    def prefixes(cls) -> set[str]:
+        """A set of prefixes that refer to the CVSS version 4 scoring system."""
+        return {"CVSS4", "CVSSV4", "CVSS_V4", "CVSS:4"}
+
+    @classmethod
+    def from_score(cls, score: float) -> "Cvss4Rating | None":
+        """Get the Cvss4Rating from a score, or None if the score does not map to any Cvss4Rating."""
+        if score < 0.0 or score > cls.CRITICAL.upper_bound:
+            return None
+        if score < cls.NONE.upper_bound:
+            return cls.NONE
+        if score < cls.LOW.upper_bound:
+            return cls.LOW
+        if score < cls.MEDIUM.upper_bound:
+            return cls.MEDIUM
+        if score < cls.HIGH.upper_bound:
+            return cls.HIGH
+        if score <= cls.CRITICAL.upper_bound:
+            return cls.CRITICAL
+        return None
+
+    @property
+    def upper_bound(self) -> float:
+        return self._upper_bound

python_ort-0.6.0/src/ort/models/vulnerabilities/vulnerability.py

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from .vulnerability_reference import VulnerabilityReference
+
+
+class Vulnerability(BaseModel):
+    """
+    Base model for all vulnerability providers supported by the advisor.
+
+    This class stores the information about a single vulnerability, which may have been retrieved from multiple
+    vulnerability providers. For each source of information a [VulnerabilityReference] is contained.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    id: str = Field(
+        ...,
+        description="The ID of a vulnerability. Most likely a CVE identifier.",
+    )
+
+    summary: str | None = Field(
+        None,
+        description="A short summary of this Vulnerability.",
+    )
+
+    description: str | None = Field(
+        None,
+        description="A full description of this Vulnerability.",
+    )
+
+    references: list["VulnerabilityReference"] = Field(
+        ...,
+        description="A list with detailed information for this vulnerability obtained from different sources.",
+    )

python_ort-0.6.0/src/ort/models/vulnerabilities/vulnerability_reference.py

@@ -0,0 +1,78 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from __future__ import annotations
+
+from enum import Enum
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from .cvss2_rating import Cvss2Rating
+from .cvss3_rating import Cvss3Rating
+from .cvss4_rating import Cvss4Rating
+
+
+class VulnerabilityReference(BaseModel):
+    """
+    A data class representing detailed information about a vulnerability obtained from a specific source.
+
+    A single vulnerability can be listed by multiple sources using different scoring systems to denote its severity.
+    So when ORT queries different providers for vulnerability information it may well find multiple records for a single
+    vulnerability, which could even contain contradicting information. To model this, a [Vulnerability] is associated
+    with a list of references; each reference points to the source of the information and has some detailed information
+    provided by this source.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    url: str = Field(
+        ...,
+        description="The URI pointing to details of the belonging vulnerability.",
+    )
+
+    scoring_system: str | None = Field(
+        default=None,
+        description="The name of the scoring system (like CVSS, EPSS), if any, as reported by the advice provider.",
+    )
+
+    severity: str | None = Field(
+        default=None,
+        description="The severity, if any, this reference assigns to the belonging vulnerability. This "
+        'string is supposed to be a qualitative rating like "LOW" or "HIGH".',
+    )
+
+    score: float | None = Field(
+        default=None,
+        description="The (base) score, if any, this reference assigns to the belonging vulnerability. "
+        "The meaning of this number depends on the scoring system.",
+    )
+
+    vector: str | None = Field(
+        default=None,
+        description="For CVSS, this is the full vector this reference assigns to the belonging "
+        "vulnerability, if any. While the vector usually contains the scoring system as a "
+        "prefix, that is not the case for CVSS v2. For EPSS, this is the percentile, which "
+        "provides a measure of probability relative to all other scores.",
+    )
+
+    @staticmethod
+    def get_qualitative_rating(scoring_system: str | None, score: float | None) -> Enum | None:
+        """
+        Get the qualitative rating for the given scoring system and score.
+
+        Returns the corresponding CVSS rating enum member, or None if the scoring system is unknown
+        or the score does not map to any rating.
+        """
+        if scoring_system is None or score is None:
+            return None
+
+        upper = scoring_system.upper()
+
+        for rating_cls in (Cvss2Rating, Cvss3Rating, Cvss4Rating):
+            if any(upper.startswith(prefix) for prefix in rating_cls.prefixes()):
+                return rating_cls.from_score(score)
+
+        return None

python_ort-0.5.0/src/ort/models/__init__.py

@@ -1,10 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
-# SPDX-License-Identifier: MIT
-
-from .identifier import Identifier
-from .vcstype import VcsType
-
-__all__ = [
-    "Identifier",
-    "VcsType",
-]