Include package commit patches in impact exports

keshav-space · keshav-space · commit b9b80740d3ea · 2026-02-23T18:35:15.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/vulnerabilities/pipes/export.py b/vulnerabilities/pipes/export.py
@@ -113,6 +113,16 @@ def serialize_references(reference):
     }
 
 
+def serialize_commit_patches(patches):
+    return [
+        {
+            "vcs_url": p.vcs_url,
+            "commit": p.commit_hash,
+        }
+        for p in patches.all()
+    ]
+
+
 def serialize_advisory(advisory):
     """Return a plain data mapping serialized from advisory object."""
     aliases = sorted([a.alias for a in advisory.aliases.all()])
@@ -124,6 +134,12 @@ def serialize_advisory(advisory):
             "purl": impact.base_purl,
             "affected_versions": impact.affecting_vers,
             "fixed_versions": impact.fixed_vers,
+            "fixed_in_commits": serialize_commit_patches(
+                impact.fixed_by_package_commit_patches,
+            ),
+            "introduced_in_commits": serialize_commit_patches(
+                impact.introduced_by_package_commit_patches,
+            ),
         }
         for impact in advisory.impacted_packages.all()
     ]
diff --git a/vulnerabilities/tests/pipelines/exporters/test_federate_vulnerabilities.py b/vulnerabilities/tests/pipelines/exporters/test_federate_vulnerabilities.py
@@ -21,6 +21,7 @@
 
 from vulnerabilities.importer import AdvisoryDataV2
 from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
 from vulnerabilities.pipelines import insert_advisory_v2
 from vulnerabilities.pipelines.exporters.federate_vulnerabilities import (
     FederatePackageVulnerabilities,
@@ -68,8 +69,13 @@ def setUp(self):
                     package=PackageURL.from_string("pkg:npm/foobar"),
                     affected_version_range=VersionRange.from_string("vers:npm/>=1.2.4"),
                     fixed_version_range=VersionRange.from_string("vers:npm/2.0.0"),
+                    fixed_by_commit_patches=[
+                        PackageCommitPatchData(
+                            vcs_url="https://foobar.vcs/",
+                            commit_hash="982f801f",
+                        )
+                    ],
                     introduced_by_commit_patches=[],
-                    fixed_by_commit_patches=[],
                 ),
             ],
             patches=[],
diff --git a/vulnerabilities/tests/test_data/exporters/federate_vulnerabilities/ADV-001-expected.yml b/vulnerabilities/tests/test_data/exporters/federate_vulnerabilities/ADV-001-expected.yml
@@ -8,6 +8,8 @@ impacted_packages:
   - purl: pkg:npm/foobar
     affected_versions: vers:npm/<=1.2.3
     fixed_versions: vers:npm/1.2.4
+    fixed_in_commits: []
+    introduced_in_commits: []
 severities: []
 weaknesses: []
 references: []
diff --git a/vulnerabilities/tests/test_data/exporters/federate_vulnerabilities/ADV-002-expected.yml b/vulnerabilities/tests/test_data/exporters/federate_vulnerabilities/ADV-002-expected.yml
@@ -8,6 +8,10 @@ impacted_packages:
   - purl: pkg:npm/foobar
     affected_versions: vers:npm/>=1.2.4
     fixed_versions: vers:npm/2.0.0
+    fixed_in_commits:
+      - vcs_url: https://foobar.vcs/
+        commit: 982f801f
+    introduced_in_commits: []
 severities: []
 weaknesses: []
 references: []
