draft

Author: git-hyagi

docs/dev/learn/other/vulnerability-report.md

@@ -17,26 +17,27 @@ The first step in writing a vulnerability report for a Pulp `content unit` is to
 package [`ecosystem`](https://google.github.io/osv.dev/post-v1-query/#parameters) by checking
 [https://ossf.github.io/osv-schema/#defined-ecosystems](https://ossf.github.io/osv-schema/#defined-ecosystems).
 
-The next step is to create a function at the top level of the module, so it can be loaded in pulpcore,
-that will be run as a Pulp task. This function should add a dictionary (the `osv_data` created through
-`build_osv_data` function in the following sample) to the `pulpcore.app.tasks.vulnerability_report.content_queue` queue.
+The next step is to create an async function at the top level of the module (so it can be
+loaded in pulpcore) that will be run as a Pulp task. This async function should return a generator
+object with a dictionary containing the `osv_data` (created through `build_osv_data` function in the following sample),
+and also the `Content` and `RepositoryVersion` objects.
 
 Here is an example of a function with the above steps:
 
 ```python
-from pulpcore.plugin.tasking import content_queue
-
-def get_content_from_repo_version(repo_version_pk: str):
-    """
-    Populate content_queue Queue with the content_units found in RepositoryVersion
-    """
-    repo_version = RepositoryVersion.objects.get(pk=repo_version_pk)
-    ecosystem = "PyPI"
-    for content_unit in repo_version.content:
-        content = content_unit.cast()
-        osv_data = build_osv_data(content.name, ecosystem, content.version)
-        content_queue.put(osv_data)
-    content_queue.put(None)  # signal that there are no more content_units
+async def get_content_from_repo_version(repo_version_pk: str):
+    repo_version = await sync_to_async(RepositoryVersion.objects.get)(pk=repo_version_pk)
+    content_units = await sync_to_async(list)(repo_version.content.all())
+    
+    for content_unit in content_units:
+        content = await sync_to_async(content_unit.cast)()
+        content_name = await sync_to_async(lambda: content.name)()
+        content_version = await sync_to_async(lambda: content.version)()
+        ecosystem = "PyPI"
+        repo_content_osv_data = build_osv_data(content_name, ecosystem, content_version)
+        repo_content_osv_data["repo_version"] = repo_version
+        repo_content_osv_data["content"] = content
+        yield repo_content_osv_data
 
 def build_osv_data(name, ecosystem, version=None):
     osv_data = {"package": {"name": name, "ecosystem": ecosystem}}
@@ -46,9 +47,7 @@ def build_osv_data(name, ecosystem, version=None):
 ```
 
 
-Now that we have the function to populate the `content_queue` queue, we need to create a `ViewSet`
-to dispatch a task with it:
-
+Now that we have the async generator function, we need to create a `ViewSet` to dispatch a task with it:
 
 !!! note
     In the following sample, we are not defining the permissions to access the endpoint.
@@ -65,7 +64,6 @@ from my_plugin.app.viewsets import get_content_from_repo_version
 
 class MyPluginVulnerabilityReport(VulnerabilityReportViewSet):
 
-    endpoint_name = "vuln_report"
     queryset = VulnerabilityReport.objects.all()
     serializer_class = VulnerabilityReportSerializer
 
@@ -81,14 +79,18 @@ class MyPluginVulnerabilityReport(VulnerabilityReportViewSet):
         repo_version = serializer.validated_data["repo_version"]
 
         # we need to pass the function as string because dispatch() args only accepts JSON serializable content
-        content_queue_func = f"{get_content_from_repo_version.__module__}.{get_content_from_repo_version.__name__}"
+        func = f"{get_content_from_repo_version.__module__}.{get_content_from_repo_version.__name__}"
 
         task = dispatch(
             check_content,
             shared_resources=[repo_version.repository],
-            kwargs={"func": content_queue_func, [repo_version.pk]}
+            args = [func, [repo_version.pk]],
         )
         return OperationPostponedResponse(task, request)
+
+    @classmethod
+    def routable(cls):
+        return True
 ```
 
 Here is a sample for the `MyPluginVulnerabilityReportSerializer` where we serialize the

pulpcore/app/migrations/0134_vulnerabilityreport.py

@@ -1,4 +1,4 @@
-# Generated by Django 4.2.19 on 2025-07-14 19:37
+# Generated by Django 4.2.19 on 2025-08-04 11:08
 
 from django.db import migrations, models
 import django.db.models.deletion
@@ -17,11 +17,14 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name='VulnerabilityReport',
             fields=[
-                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, primary_key=True, serialize=False)),
                 ('pulp_created', models.DateTimeField(auto_now_add=True)),
                 ('pulp_last_updated', models.DateTimeField(auto_now=True, null=True)),
+                ('pulp_type', models.TextField(db_index=True, default=None)),
+                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, unique=True)),
+                ('content', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, primary_key=True, serialize=False, to='core.content')),
                 ('vulns', models.JSONField()),
                 ('pulp_domain', models.ForeignKey(default=pulpcore.app.util.get_domain_pk, on_delete=django.db.models.deletion.CASCADE, to='core.domain')),
+                ('repo_versions', models.ManyToManyField(blank=True, to='core.repositoryversion')),
             ],
             options={
                 'default_related_name': '%(app_label)s_%(model_name)s',

pulpcore/app/models/vulnerability_report.py

@@ -1,16 +1,24 @@
 from django.db import models
 
-from pulpcore.app.models.base import BaseModel
+from pulpcore.app.models.base import MasterModel, pulp_uuid
 from pulpcore.app.util import get_domain_pk
 
 
-class VulnerabilityReport(BaseModel):
+class VulnerabilityReport(MasterModel):
     """
     Model used in vulnerability report.
     """
 
+    TYPE = "vuln_report"
+    pulp_id = models.UUIDField(default=pulp_uuid, editable=False, unique=True)
+    content = models.OneToOneField(
+        "core.Content",
+        on_delete=models.CASCADE,
+        primary_key=True,
+    )
     vulns = models.JSONField()
     pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.CASCADE)
+    repo_versions = models.ManyToManyField("core.RepositoryVersion", blank=True)
 
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"

pulpcore/app/serializers/content.py

@@ -27,6 +27,10 @@ class NoArtifactContentSerializer(base.ModelSerializer):
         view_name_pattern=r"repositories(-.*/.*)-detail",
         queryset=models.Repository.objects.all(),
     )
+    core_vulnerabilityreport = DetailRelatedField(
+        read_only=True,
+        view_name="vuln_report-detail",
+    )
 
     def get_artifacts(self, validated_data):
         """
@@ -116,6 +120,7 @@ class Meta:
         fields = base.ModelSerializer.Meta.fields + (
             "repository",
             "pulp_labels",
+            "core_vulnerabilityreport",
         )
 
 

pulpcore/app/serializers/repository.py

@@ -491,6 +491,12 @@ class RepositoryVersionSerializer(ModelSerializer, NestedHyperlinkedModelSeriali
         read_only=True,
     )
 
+    core_vulnerabilityreport = DetailRelatedField(
+        many=True,
+        read_only=True,
+        view_name="vuln_report-detail",
+    )
+
     class Meta:
         model = models.RepositoryVersion
         fields = ModelSerializer.Meta.fields + (
@@ -499,6 +505,7 @@ class Meta:
             "repository",
             "base_version",
             "content_summary",
+            "core_vulnerabilityreport",
         )
 
 

pulpcore/app/serializers/vulnerability_report.py

@@ -1,7 +1,12 @@
 from rest_framework import serializers
 
 from pulpcore.app.models import VulnerabilityReport
-from pulpcore.app.serializers import IdentityField, ModelSerializer
+from pulpcore.app.serializers import (
+    DetailRelatedField,
+    IdentityField,
+    ModelSerializer,
+    RepositoryVersionRelatedField,
+)
 
 
 class VulnerabilityReportSerializer(ModelSerializer):
@@ -11,7 +16,12 @@ class VulnerabilityReportSerializer(ModelSerializer):
 
     vulns = serializers.JSONField()
     pulp_href = IdentityField(view_name="vuln_report-detail")
+    content = DetailRelatedField(
+        read_only=True,
+        view_name_pattern=r"content(-.*/.*)-detail",
+    )
+    repo_versions = RepositoryVersionRelatedField(many=True, required=False)
 
     class Meta:
         model = VulnerabilityReport
-        fields = ModelSerializer.Meta.fields + ("vulns",)
+        fields = ModelSerializer.Meta.fields + ("vulns", "repo_versions", "content")

pulpcore/app/settings.py

@@ -425,6 +425,9 @@
 # opentelemetry settings
 OTEL_ENABLED = False
 
+# VulnerabilityReport settings
+VULN_REPORT_TASK_LIMITER = 10
+
 # Replaces asyncio event loop with uvloop
 UVLOOP_ENABLED = False
 

pulpcore/app/tasks/__init__.py

@@ -26,4 +26,4 @@
 
 from .analytics import post_analytics
 
-from .vulnerability_report import check_content, content_queue
+from .vulnerability_report import check_content