Update weighted_risk_score on updating the relationship

component_catalog/forms.py

@@ -707,7 +707,7 @@ class AddToProductAdminForm(forms.Form):
     ids = forms.CharField(widget=forms.widgets.HiddenInput)
     replace_existing_version = forms.BooleanField(
         required=False,
-        initial=False,
+        initial=True,
         label="Replace existing relationships by newer version.",
         help_text=(
             "Select this option to replace any existing relationships with a different version "

product_portfolio/models.py

@@ -512,6 +512,9 @@ def assign_object(self, obj, user, replace_version=False):
                 existing_relation = other_assigned_versions[0]
                 other_version_object = getattr(existing_relation, object_model_name)
                 existing_relation.update(**{object_model_name: obj, "last_modified_by": user})
+                # Update the weighted_risk_score from the new related_object
+                existing_relation.refresh_from_db()
+                existing_relation.update_weighted_risk_score()
                 message = f'Updated {object_model_name} "{other_version_object}" to "{obj}"'
                 History.log_change(user, self, message)
                 return "updated", existing_relation
@@ -864,9 +867,9 @@ def compute_weighted_risk_score(self):
         weighted_risk_score = float(risk_score) * float(exposure_factor)
         return weighted_risk_score
 
-    def set_weighted_risk_score(self):
+    def set_weighted_risk_score(self, save=False):
         """
-        Update the `weighted_risk_score` for the current instance.
+        Set the `weighted_risk_score` for the current instance.
 
         The method computes the weighted risk score using `compute_weighted_risk_score()`
         and assigns the computed value to the `weighted_risk_score` field if it differs
@@ -878,6 +881,13 @@ def set_weighted_risk_score(self):
         if weighted_risk_score != self.weighted_risk_score:
             self.weighted_risk_score = weighted_risk_score
 
+    def update_weighted_risk_score(self):
+        """Update the `weighted_risk_score` for the current instance."""
+        weighted_risk_score = self.compute_weighted_risk_score()
+        if weighted_risk_score != self.weighted_risk_score:
+            self.weighted_risk_score = weighted_risk_score
+            self.raw_update(weighted_risk_score=weighted_risk_score)
+
     def as_spdx(self):
         """
         Set the `license_concluded` using the license choice of the relationship,

product_portfolio/tests/test_models.py

@@ -410,6 +410,21 @@ def test_product_model_assign_object_replace_version_package(self):
         expected_message = 'Updated package "pkg:deb/debian/curl@1.0" to "pkg:deb/debian/curl@2.0"'
         self.assertEqual(expected_message, history_entries.latest("action_time").change_message)
 
+    def test_product_model_assign_object_replace_version_package_update_vulnerability_scores(self):
+        self.assertEqual(0, self.product1.get_vulnerable_productpackages().count())
+        package1 = make_package(self.dataspace, name="a", version="1.0", is_vulnerable=True)
+        p1_p1 = make_product_package(self.product1, package1)
+        p1_p1.raw_update(weighted_risk_score=5.0)
+        self.assertTrue(self.product1.productpackages.vulnerable().exists())
+
+        package2 = make_package(self.dataspace, name="a", version="2.0")
+        status, p1_p2 = self.product1.assign_object(package2, self.super_user, replace_version=True)
+        self.assertEqual("updated", status)
+
+        p1_p2.refresh_from_db()
+        self.assertIsNone(p1_p2.weighted_risk_score)
+        self.assertFalse(self.product1.productpackages.vulnerable().exists())
+
     def test_product_model_find_assigned_other_versions_component(self):
         component1 = Component.objects.create(name="c", version="1.0", dataspace=self.dataspace)
         component2 = Component.objects.create(name="c", version="2.0", dataspace=self.dataspace)