Merge branch 'main' into fix/insert-advisory-v2-multipleobjectsreturned

Signed-off-by: Aditya kumar singh <143548997+Adityakk9031@users.noreply.github.com>

Author: Adityakk9031

.github/workflows/docs.yml

@@ -9,7 +9,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: [3.9]
+        python-version: [3.12]
 
     steps:
       - name: Checkout code

.github/workflows/main.yml

@@ -29,7 +29,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        python-version: ["3.12", "3.13"]
 
     steps:
       - name: Checkout code
@@ -39,10 +39,10 @@ jobs:
         uses: actions/setup-python@v2
         with:
           python-version: ${{ matrix.python-version }}
+      
 
       - name: Install dependencies
         run: make dev envfile
-
 # Disable codestyle checks until we have cleaned up the code
 #      - name: Validate code format
 #        run: make check

.github/workflows/pypi-release.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v1
         with:
-          python-version: 3.9
+          python-version: 3.12
 
       - name: Install pypa/build
         run: python -m pip install build --user

.readthedocs.yml

@@ -9,7 +9,7 @@ version: 2
 build:
   os: ubuntu-22.04
   tools:
-    python: "3.11"
+    python: "3.12"
 
 # Build PDF & ePub
 formats:

Dockerfile

@@ -6,7 +6,7 @@
 # See https://github.com/nexB/vulnerablecode for support or download.
 # See https://aboutcode.org for more information about nexB OSS projects
 
-FROM python:3.9
+FROM python:3.12
 
 WORKDIR /app
 

Makefile

@@ -49,7 +49,13 @@ endif
 
 virtualenv:
 	@echo "-> Bootstrap the virtualenv with PYTHON_EXE=${PYTHON_EXE}"
-	@${PYTHON_EXE} ${VIRTUALENV_PYZ} --never-download --no-periodic-update ${VENV}
+	@${PYTHON_EXE} -m venv ${VENV}
+	@$(MAKE) upgrade-tools
+
+upgrade-tools:
+	@echo "-> Upgrade pip / setuptools / wheel (Python 3.12 safe)"
+	@${VENV}/bin/python -m pip install --upgrade --force-reinstall \
+		"pip>=24" "setuptools>=69" "wheel>=0.42" packaging
 
 conf: virtualenv
 	@echo "-> Install dependencies"

README.rst

@@ -1,7 +1,37 @@
-===============
+==============
 VulnerableCode
+==============
+
+VulnerableCode is a database of software package vulnerabilities with Web UI and API.
+
+Why Use VulnerableCode?
+=======================
+
+VulnerableCode provides a Web UI and API to access a database of known software package 
+vulnerabilities with comprehensive information from upstream and downstream public 
+sources including packages affected by a vulnerability and packages that fix a 
+vulnerability. 
+
+There is a `public VulnerableCode database <https://public.vulnerablecode.io/>`_ 
+and the project also provides the tools to build your own instance of the database.
+
+Getting Started
 ===============
 
+Instructions to get you up and running on your local machine are at `Getting Started <https://vulnerablecode.readthedocs.io/en/stable/>`_
+
+The VulnerableCode documentation also provides:
+
+- prerequisites for installing the software.
+- an introduction to the user interface.
+- how to use the API.
+- tutorials for adding new pipelines to import and improve advisories.
+- extensive reference information about VulnerableCode data.
+- guidelines for contributing to code development.
+
+Build and tests status
+======================
+
 |Build Status| |Code License| |Data License| |Python 3.8+| |stability-wip| |Gitter chat|
 
 
@@ -18,11 +48,12 @@ VulnerableCode
    :target: https://gitter.im/aboutcode-org/vulnerablecode
 
 
-VulnerableCode is a free and open database of open source software package
-vulnerabilities **because open source software vulnerabilities data and tools
-should be free and open source themselves**:
+Benefits of VulnerableCode
+==========================
 
-we are trying to change this and evolve the status quo in a few other areas!
+VulnerableCode is a free and open database of open source software package
+vulnerabilities **because open source software vulnerability data and tools
+should be free and open source themselves**.
 
 - Vulnerability databases have been **traditionally proprietary** even though they
   are mostly about free and open source software. 
@@ -31,119 +62,35 @@ we are trying to change this and evolve the status quo in a few other areas!
   means a lot of false positive signals that require extensive expert reviews.
 
 - Vulnerability databases are also mostly about vulnerabilities first and software
-  package second, making it difficult to find if and when a vulnerability applies
-  to a piece of code. VulnerableCode focus is on software package first where
-  a Package URL is a key and natural identifier for packages; this is making it
+  packages second, making it difficult to find if and when a vulnerability applies
+  to a piece of code. VulnerableCode's focus is on software packages first where
+  a Package URL (PURL) is a key and natural identifier for packages; this makes it
   easier to find a package and whether it is vulnerable.
 
-Package URL themselves were designed first in ScanCode and VulnerableCode
-and are now a de-facto standard for vulnerability management and package references.
-See https://github.com/package-url/purl-spec
-
-The VulnerableCode project is a FOSS community resource to help improve the
-security of the open source software ecosystem and its users at large.
+PURLs were designed initially for ScanCode and VulnerableCode. PURL is
+now a `standard <https://github.com/package-url/purl-spec>`_ for vulnerability management 
+and package references.
 
-VulnerableCode consists of a database and the tools to collect, refine and keep
-the database current. 
-
-
-.. pull-quote::
-   **Warning**
-
-   VulnerableCode is under active development and is not yet fully
-   usable.
-
-
-Read more about VulnerableCode https://vulnerablecode.readthedocs.org/
-
-VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and
+The VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and
 several libraries.
 
+Support
+=======
 
-Getting started
-===============
-
-Run with Docker
----------------
-
-First install docker, then run
-
-.. code:: bash
-
-    git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
-    make envfile
-    docker compose build
-    docker compose up -d
-    docker compose run vulnerablecode ./manage.py import --list
-
-Then run an importer for nginx advisories (which is small)
+If you have a specific problem, suggestion or bug, please submit a
+`GitHub issue <https://github.com/aboutcode-org/vulnerablecode/issues>`_.
 
-.. code:: bash
-
-    docker compose exec vulnerablecode ./manage.py import nginx_importer
-    docker compose exec vulnerablecode ./manage.py improve --all
-
-At this point, the VulnerableCode app and API should be up and running with
-some data at http://localhost
-
-
-Populate VulnerableCode database
---------------------------------
-
-VulnerableCode data collection works in two steps: importing data from multiple
-sources and then refining and improving how package and software vulnerabilities
-are related.
-
-To run all importers and improvers use this
-
-.. code:: bash
-
-   ./manage.py import --all
-
-.. code:: bash
-
-   ./manage.py improve --all
-
-
-Local development installation
-------------------------------
-
-On a Debian system, use this
-
-.. code:: bash
-
-    sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential
-    git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
-    make dev envfile postgres
-    make test
-    source venv/bin/activate
-    ./manage.py import nginx_importer
-    ./manage.py improve --all
-    make run
-
-At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/
+For quick questions or socializing, join the AboutCode community discussions on `Slack <https://join.slack.com/t/aboutcode-org/shared_invite/zt-3li3bfs78-mmtKG0Qhv~G2dSlNCZW2pA>`_.
 
+Interested in commercial suppport? Contact the `AboutCode team <mailto:hello@aboutcode.org>`_.
 
 License
-========
-
-Copyright (c) nexB Inc. and others. All rights reserved.
-
-VulnerableCode is a trademark of nexB Inc.
-
-SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
-
-VulnerableCode software is licensed under the Apache License version 2.0.
-
-VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
-
-See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
-
-See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
-
-See https://github.com/nexB/vulnerablecode for support or download. 
+=======
 
-See https://aboutcode.org for more information about nexB OSS projects.
+* `Apache-2.0 <apache-2.0.LICENSE>`_ is the overall license.
+* `CC-BY-SA-4.0 <cc-by-sa-4.0.LICENSE>`_ applies to reference datasets.
+* There are multiple secondary permissive or copyleft licenses (LGPL, MIT,
+  BSD, GPL 2/3, etc.) for third-party components and test suite code and data.
 
 
 Acknowledgements, Funding, Support and Sponsoring

docker-compose.yml

@@ -2,7 +2,7 @@ version: "3"
 
 services:
   db:
-    image: postgres:13
+    image: postgres:15
     command: -c config_file=/etc/postgresql/postgresql.conf
     env_file:
       - docker.env

docs/source/contributing.rst

@@ -17,7 +17,7 @@ resources to help you get started.
 Do Your Homework
 ----------------
 
-Before adding a contribution or create a new issue, take a look at the project’s
+Before adding a contribution or create a new issue, take a look at the project's
 `README <https://github.com/aboutcode-org/vulnerablecode>`_, read through our
 `documentation <https://vulnerablecode.readthedocs.io/en/latest/>`_,
 and browse existing `issues <https://github.com/aboutcode-org/vulnerablecode/issues>`_,
@@ -73,7 +73,7 @@ overlooked. We value any suggestions to improve
 
 .. tip::
     Our documentation is treated like code. Make sure to check our
-    `writing guidelines <https://scancode-toolkit.readthedocs.io/en/latest/contribute/contrib_doc.html>`_
+    `writing guidelines <https://scancode-toolkit.readthedocs.io/en/stable/getting-started/contribute/contributing-docs.html>`_
     to help guide new users.
 
 Other Ways
@@ -87,7 +87,7 @@ questions, and interact with us and other community members on
 Helpful Resources
 -----------------
 
-- Review our `comprehensive guide <https://scancode-toolkit.readthedocs.io/en/latest/contribute/index.html>`_
+- Review our `comprehensive guide <https://scancode-toolkit.readthedocs.io/en/stable/getting-started/contribute/index.html>`_
   for more details on how to add quality contributions to our codebase and documentation
 - Check this free resource on `How to contribute to an open source project on github <https://egghead.io/lessons/javascript-identifying-how-to-contribute-to-an-open-source-project-on-github>`_
 - Follow `this wiki page <https://aboutcode.readthedocs.io/en/latest/contributing/writing_good_commit_messages.html>`_

docs/source/installation.rst

@@ -84,6 +84,10 @@ to run on a different port than 8000.
    are several steps that may be needed to secure such a deployment.
    Currently, this is not recommendend.
 
+.. tip::
+
+    Set ``STAGING`` to ``False`` in production to disable the staging environment warning.
+
 Execute a Command
 ^^^^^^^^^^^^^^^^^