From eb0622181e9fbe8f88659e7b09cb93e49720e98e Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Thu, 22 Aug 2024 09:08:39 +0400
Subject: [PATCH 1/7] Update references to aboutcode-org in docs and workflow
 #158

Signed-off-by: tdruez <tdruez@nexb.com>
---
 .github/workflows/publish-docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index c4859ff0..06e14da0 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -59,5 +59,5 @@ jobs:
           push: true
           tags: |
             ${{ steps.meta.outputs.tags }}
-            ${{ env.REGISTRY }}/nexb/dejacode:latest
+            ${{ env.REGISTRY }}/aboutcode-org/dejacode:latest
           labels: ${{ steps.meta.outputs.labels }}

From 2fdfb5c1897590d9f862f59e54f5e22f18eda60f Mon Sep 17 00:00:00 2001
From: tdruez <489057+tdruez@users.noreply.github.com>
Date: Thu, 22 Aug 2024 15:53:57 +0400
Subject: [PATCH 2/7] Display warning when a "download_url" could not be
 determined from a PURL #163 (#170)

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst              |  4 ++++
 component_catalog/views.py | 18 +++++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 4634d4a2..e9ba1a3f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -93,6 +93,10 @@ Release notes
   - Pull ScanCode.io Project data
   https://github.com/aboutcode-org/dejacode/issues/94
 
+- Display warning when a "download_url" could not be determined from a PURL in
+  "Add Package".
+  https://github.com/aboutcode-org/dejacode/issues/163
+
 ### Version 5.1.0
 
 - Upgrade Python version to 3.12 and Django to 5.0.x
diff --git a/component_catalog/views.py b/component_catalog/views.py
index 22aff7de..572296ca 100644
--- a/component_catalog/views.py
+++ b/component_catalog/views.py
@@ -1492,13 +1492,13 @@ def package_create_ajax_view(request):
             errors.append(str(error))
 
     redirect_url = reverse("component_catalog:package_list")
-    len_created = len(created)
 
     scancodeio = ScanCodeIO(dataspace)
-    if scancodeio.is_configured() and dataspace.enable_package_scanning:
+    download_urls = [package.download_url for package in created if package.download_url]
+    if download_urls and dataspace.enable_package_scanning and scancodeio.is_configured():
         # The availability of the each `download_url` is checked in the task.
         tasks.scancodeio_submit_scan.delay(
-            uris=[package.download_url for package in created if package.download_url],
+            uris=download_urls,
             user_uuid=user.uuid,
             dataspace_uuid=dataspace.uuid,
         )
@@ -1508,6 +1508,7 @@ def package_create_ajax_view(request):
         for package in created:
             package.fetch_vulnerabilities()
 
+    len_created = len(created)
     if len_created == 1:
         redirect_url = created[0].get_absolute_url()
         messages.success(request, "The Package was successfully created.")
@@ -1516,6 +1517,17 @@ def package_create_ajax_view(request):
         msg = f"The following Packages were successfully created{scan_msg}:\n{packages}"
         messages.success(request, format_html(msg))
 
+    purls_wihtout_download_url = [package for package in created if not package.download_url]
+    if purls_wihtout_download_url:
+        packages = [package.get_absolute_link() for package in purls_wihtout_download_url]
+        msg = (
+            "Unable to determine a download URL for the following packages."
+            " A download URL is required to fetch and scan a package from DejaCode."
+            "\nAlternatively, you can directly provide a download URL instead of a "
+            "package URL to create the packages.\n"
+        )
+        messages.warning(request, format_html(msg + "\n".join(packages)))
+
     if errors:
         messages.error(request, format_html("\n".join(errors)))
     if warnings:

From 21a353dbd6a4c590838dd20675d94251c2a0bfee Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Fri, 23 Aug 2024 12:16:33 +0400
Subject: [PATCH 3/7] Fix a bug related to during copy #168

Signed-off-by: tdruez <tdruez@nexb.com>
---
 dje/forms.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dje/forms.py b/dje/forms.py
index 0694cf09..460bb957 100644
--- a/dje/forms.py
+++ b/dje/forms.py
@@ -435,7 +435,12 @@ def __init__(self, user, *args, **kwargs):
 
         self.model_class = ContentType.objects.get(pk=ct).model_class()
 
-        exclude_choices = self.model_class.get_exclude_choices()
+        # Some implicitly created models, such as some Many2Many, do not inherit the
+        # get_exclude_choices method from the DataspacedModel class.
+        exclude_choices = []
+        if hasattr(self.model_class, "get_exclude_choices"):
+            exclude_choices = self.model_class.get_exclude_choices()
+
         self.fields["exclude_copy"].choices = exclude_choices
         self.fields["exclude_update"].choices = exclude_choices
 

From 636d63bb958cbdc1fca64db8699cdc6dee5e3e2c Mon Sep 17 00:00:00 2001
From: tdruez <tdruez@nexb.com>
Date: Fri, 23 Aug 2024 12:32:46 +0400
Subject: [PATCH 4/7] Display the current active filter in the Inventory tab
 #112

Signed-off-by: tdruez <tdruez@nexb.com>
---
 .../templates/product_portfolio/tabs/tab_inventory.html        | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html b/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
index e08c2213..39974053 100644
--- a/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
+++ b/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
@@ -23,6 +23,9 @@
         </div>
       </li>
     </ul>
+    <div class="mt-1">
+      {% include 'includes/filters_breadcrumbs.html' with filterset=filter_productcomponent fragment=tab_id only %}
+    </div>
   </div>
   <div class="col-auto">
     {% include 'pagination/object_list_pagination.html' %}

From ada0091fa0ee4d0edd809c53fe8774b6c6dddcb5 Mon Sep 17 00:00:00 2001
From: tdruez <489057+tdruez@users.noreply.github.com>
Date: Tue, 27 Aug 2024 20:53:40 +0400
Subject: [PATCH 5/7] Add global Vulnerability list #95 (#171)

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst                                 |  7 ++
 component_catalog/filters.py                  | 90 +++++++++++++++++++
 ...erability_fixed_packages_count_and_more.py | 28 ++++++
 component_catalog/models.py                   | 85 +++++++++++++++++-
 .../includes/vulnerability_aliases.html       | 21 +++++
 .../tables/vulnerability_list_table.html      | 70 +++++++++++++++
 .../tabs/tab_vulnerabilities.html             | 19 +---
 .../component_catalog/vulnerability_list.html | 23 +++++
 component_catalog/tests/__init__.py           | 14 +--
 component_catalog/tests/test_filters.py       | 78 +++++++++++++++-
 component_catalog/tests/test_models.py        | 53 ++++++++---
 component_catalog/tests/test_views.py         | 64 +++++++++++++
 component_catalog/urls.py                     | 11 ++-
 component_catalog/views.py                    | 57 ++++++++++++
 dejacode/static/css/dejacode_bootstrap.css    | 18 ++++
 dje/templates/admin/base_site.html            |  5 ++
 dje/templates/includes/navbar_header.html     |  1 +
 .../includes/navbar_header_tools_menu.html    |  8 ++
 .../templates/modals}/filterset_modal.html    |  6 +-
 dje/tests/__init__.py                         |  6 ++
 product_portfolio/filters.py                  |  4 +
 product_portfolio/tests/__init__.py           | 32 +++++++
 purldb/templates/purldb/purldb_list.html      |  4 +-
 purldb/tests/test_views.py                    |  4 +-
 purldb/views.py                               |  4 +-
 25 files changed, 658 insertions(+), 54 deletions(-)
 create mode 100644 component_catalog/migrations/0007_vulnerability_fixed_packages_count_and_more.py
 create mode 100644 component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
 create mode 100644 component_catalog/templates/component_catalog/tables/vulnerability_list_table.html
 create mode 100644 component_catalog/templates/component_catalog/vulnerability_list.html
 rename {purldb/templates/purldb/includes => dje/templates/modals}/filterset_modal.html (72%)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index e9ba1a3f..08df610c 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -93,6 +93,13 @@ Release notes
   - Pull ScanCode.io Project data
   https://github.com/aboutcode-org/dejacode/issues/94
 
+- Add a new Vulnerabilities list available from the "Tools" menu when
+  ``enable_vulnerablecodedb_access`` is enabled on a Dataspace.
+  This implementation focuses on ranking/sorting: Vulnerabilities can be sorted and
+  filtered by severity score.
+  It's also possible to sort by the count of affected packages to help prioritize.
+  https://github.com/aboutcode-org/dejacode/issues/94
+
 - Display warning when a "download_url" could not be determined from a PURL in
   "Add Package".
   https://github.com/aboutcode-org/dejacode/issues/163
diff --git a/component_catalog/filters.py b/component_catalog/filters.py
index 5efdefa5..421c3748 100644
--- a/component_catalog/filters.py
+++ b/component_catalog/filters.py
@@ -8,6 +8,7 @@
 
 from django import forms
 from django.contrib.admin.options import IncorrectLookupParameters
+from django.db.models import F
 from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 
@@ -16,12 +17,14 @@
 from component_catalog.models import Component
 from component_catalog.models import ComponentKeyword
 from component_catalog.models import Package
+from component_catalog.models import Vulnerability
 from component_catalog.programming_languages import PROGRAMMING_LANGUAGES
 from dje.filters import DataspacedFilterSet
 from dje.filters import DefaultOrderingFilter
 from dje.filters import HasRelationFilter
 from dje.filters import MatchOrderedSearchFilter
 from dje.filters import RelatedLookupListFilter
+from dje.filters import SearchFilter
 from dje.widgets import BootstrapSelectMultipleWidget
 from dje.widgets import DropDownRightWidget
 from dje.widgets import SortDropDownWidget
@@ -104,6 +107,10 @@ class ComponentFilterSet(DataspacedFilterSet):
         field_name="affected_by_vulnerabilities",
         widget=DropDownRightWidget(link_content='<i class="fas fa-bug"></i>'),
     )
+    affected_by = django_filters.CharFilter(
+        field_name="affected_by_vulnerabilities__vulnerability_id",
+        label=_("Affected by"),
+    )
 
     class Meta:
         model = Component
@@ -242,6 +249,10 @@ class PackageFilterSet(DataspacedFilterSet):
         field_name="affected_by_vulnerabilities",
         widget=DropDownRightWidget(link_content='<i class="fas fa-bug"></i>'),
     )
+    affected_by = django_filters.CharFilter(
+        field_name="affected_by_vulnerabilities__vulnerability_id",
+        label=_("Affected by"),
+    )
 
     class Meta:
         model = Package
@@ -272,3 +283,82 @@ def show_created_date(self):
     @cached_property
     def show_last_modified_date(self):
         return not self.sort_value or self.has_sort_by("last_modified_date")
+
+
+class NullsLastOrderingFilter(django_filters.OrderingFilter):
+    """
+    A custom ordering filter that ensures null values are sorted last.
+
+    When sorting by fields with potential null values, this filter modifies the
+    ordering to use Django's `nulls_last` clause for better handling of null values,
+    whether in ascending or descending order.
+    """
+
+    def filter(self, qs, value):
+        if not value:
+            return qs
+
+        ordering = []
+        for field in value:
+            if field.startswith("-"):
+                field_name = field[1:]
+                ordering.append(F(field_name).desc(nulls_last=True))
+            else:
+                ordering.append(F(field).asc(nulls_last=True))
+
+        return qs.order_by(*ordering)
+
+
+vulnerability_score_ranges = {
+    "low": (0.1, 3),
+    "medium": (4.0, 6.9),
+    "high": (7.0, 8.9),
+    "critical": (9.0, 10.0),
+}
+
+SCORE_CHOICES = [
+    (key, f"{key.capitalize()} ({value[0]} - {value[1]})")
+    for key, value in vulnerability_score_ranges.items()
+]
+
+
+class VulnerabilityFilterSet(DataspacedFilterSet):
+    q = SearchFilter(
+        label=_("Search"),
+        search_fields=["vulnerability_id", "aliases"],
+    )
+    sort = NullsLastOrderingFilter(
+        label=_("Sort"),
+        fields=[
+            "max_score",
+            "min_score",
+            "affected_products_count",
+            "affected_packages_count",
+            "fixed_packages_count",
+            "created_date",
+            "last_modified_date",
+        ],
+        widget=SortDropDownWidget,
+    )
+    max_score = django_filters.ChoiceFilter(
+        choices=SCORE_CHOICES,
+        method="filter_by_score_range",
+        label="Score Range",
+        help_text="Select a score range to filter.",
+    )
+
+    class Meta:
+        model = Vulnerability
+        fields = [
+            "q",
+        ]
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.filters["max_score"].extra["widget"] = DropDownRightWidget()
+
+    def filter_by_score_range(self, queryset, name, value):
+        if value in vulnerability_score_ranges:
+            low, high = vulnerability_score_ranges[value]
+            return queryset.filter(max_score__gte=low, max_score__lte=high)
+        return queryset
diff --git a/component_catalog/migrations/0007_vulnerability_fixed_packages_count_and_more.py b/component_catalog/migrations/0007_vulnerability_fixed_packages_count_and_more.py
new file mode 100644
index 00000000..fdcce3a0
--- /dev/null
+++ b/component_catalog/migrations/0007_vulnerability_fixed_packages_count_and_more.py
@@ -0,0 +1,28 @@
+# Generated by Django 5.0.6 on 2024-08-27 14:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('component_catalog', '0006_vulnerability_model_and_missing_indexes'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='vulnerability',
+            name='fixed_packages_count',
+            field=models.GeneratedField(db_persist=True, expression=models.Func(models.F('fixed_packages'), function='jsonb_array_length'), output_field=models.IntegerField()),
+        ),
+        migrations.AddField(
+            model_name='vulnerability',
+            name='max_score',
+            field=models.FloatField(blank=True, help_text='The maximum score of the range.', null=True),
+        ),
+        migrations.AddField(
+            model_name='vulnerability',
+            name='min_score',
+            field=models.FloatField(blank=True, help_text='The minimum score of the range.', null=True),
+        ),
+    ]
diff --git a/component_catalog/models.py b/component_catalog/models.py
index 30aa218a..a01bb891 100644
--- a/component_catalog/models.py
+++ b/component_catalog/models.py
@@ -19,6 +19,7 @@
 from django.core.validators import EMPTY_VALUES
 from django.db import models
 from django.db.models import CharField
+from django.db.models import Count
 from django.db.models import Exists
 from django.db.models import OuterRef
 from django.db.models.functions import Concat
@@ -134,7 +135,7 @@ class VulnerabilityQuerySetMixin:
     def with_vulnerability_count(self):
         """Annotate the QuerySet with the vulnerability_count."""
         return self.annotate(
-            vulnerability_count=models.Count("affected_by_vulnerabilities", distinct=True)
+            vulnerability_count=Count("affected_by_vulnerabilities", distinct=True)
         )
 
     def vulnerable(self):
@@ -1748,7 +1749,7 @@ def declared_dependencies_count(self, product):
         dependencies are always scoped to a Product.
         """
         return self.annotate(
-            declared_dependencies_count=models.Count(
+            declared_dependencies_count=Count(
                 "declared_dependencies",
                 filter=models.Q(declared_dependencies__product=product),
             )
@@ -2562,6 +2563,22 @@ def __str__(self):
         return f"<{self.component}>: {self.package}"
 
 
+class VulnerabilityQuerySet(DataspacedQuerySet):
+    def with_affected_products_count(self):
+        """Annotate the QuerySet with the affected_products_count."""
+        return self.annotate(
+            affected_products_count=Count(
+                "affected_packages__productpackages__product", distinct=True
+            ),
+        )
+
+    def with_affected_packages_count(self):
+        """Annotate the QuerySet with the affected_packages_count."""
+        return self.annotate(
+            affected_packages_count=Count("affected_packages", distinct=True),
+        )
+
+
 class Vulnerability(HistoryDateFieldsMixin, DataspacedModel):
     """
     A software vulnerability with a unique identifier and alternate aliases.
@@ -2574,6 +2591,7 @@ class Vulnerability(HistoryDateFieldsMixin, DataspacedModel):
     automatically on object addition or during schedule tasks.
     """
 
+    # The first set of fields are storing data as fetched from VulnerableCode
     vulnerability_id = models.CharField(
         max_length=20,
         help_text=_(
@@ -2603,6 +2621,23 @@ class Vulnerability(HistoryDateFieldsMixin, DataspacedModel):
         blank=True,
         help_text=_("A list of packages that are not affected by this vulnerability."),
     )
+    fixed_packages_count = models.GeneratedField(
+        expression=models.Func(models.F("fixed_packages"), function="jsonb_array_length"),
+        output_field=models.IntegerField(),
+        db_persist=True,
+    )
+    min_score = models.FloatField(
+        null=True,
+        blank=True,
+        help_text=_("The minimum score of the range."),
+    )
+    max_score = models.FloatField(
+        null=True,
+        blank=True,
+        help_text=_("The maximum score of the range."),
+    )
+
+    objects = DataspacedManager.from_queryset(VulnerabilityQuerySet)()
 
     class Meta:
         verbose_name_plural = "Vulnerabilities"
@@ -2640,11 +2675,57 @@ def add_affected_components(self, components):
         """Assign the ``components`` as affected to this vulnerability."""
         self.affected_components.add(*components)
 
+    @staticmethod
+    def range_to_values(self, range_str):
+        try:
+            min_score, max_score = range_str.split("-")
+            return float(min_score.strip()), float(max_score.strip())
+        except Exception:
+            return
+
     @classmethod
     def create_from_data(cls, dataspace, data, validate=False, affecting=None):
+        # Computing the min_score and max_score from the `references` as those data
+        # are not provided by the VulnerableCode API.
+        # https://github.com/aboutcode-org/vulnerablecode/issues/1573
+        # severity_range_score = data.get("severity_range_score")
+        # if severity_range_score:
+        #     min_score, max_score = self.range_to_values(severity_range_score)
+        #     data["min_score"] = min_score
+        #     data["max_score"] = max_score
+
+        severities = [
+            score for reference in data.get("references") for score in reference.get("scores", [])
+        ]
+        if scores := cls.get_severity_scores(severities):
+            data["min_score"] = min(scores)
+            data["max_score"] = max(scores)
+
         instance = super().create_from_data(user=dataspace, data=data, validate=False)
 
         if affecting:
             instance.add_affected(affecting)
 
         return instance
+
+    @staticmethod
+    def get_severity_scores(severities):
+        score_map = {
+            "low": [0.1, 3],
+            "moderate": [4.0, 6.9],
+            "medium": [4.0, 6.9],
+            "high": [7.0, 8.9],
+            "important": [7.0, 8.9],
+            "critical": [9.0, 10.0],
+        }
+
+        consolidated_scores = []
+        for severity in severities:
+            score = severity.get("value")
+            try:
+                consolidated_scores.append(float(score))
+            except ValueError:
+                if score_range := score_map.get(score.lower(), None):
+                    consolidated_scores.extend(score_range)
+
+        return consolidated_scores
diff --git a/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html b/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
new file mode 100644
index 00000000..e64fae7a
--- /dev/null
+++ b/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
@@ -0,0 +1,21 @@
+<ul class="list-unstyled">
+  {% for alias in aliases %}
+    <li>
+      {% if alias|slice:":3" == "CVE" %}
+        <a href="https://nvd.nist.gov/vuln/detail/{{ alias }}" target="_blank">{{ alias }}
+          <i class="fa-solid fa-up-right-from-square mini"></i>
+        </a>
+      {% elif alias|slice:":4" == "GHSA" %}
+        <a href="https://github.com/advisories/{{ alias }}" target="_blank">{{ alias }}
+          <i class="fa-solid fa-up-right-from-square mini"></i>
+        </a>
+      {% elif alias|slice:":3" == "NPM" %}
+        <a href="https://github.com/nodejs/security-wg/blob/main/vuln/npm/{{ alias|slice:"4:" }}.json" target="_blank">{{ alias }}
+          <i class="fa-solid fa-up-right-from-square mini"></i>
+        </a>
+      {% else %}
+        {{ alias }}
+      {% endif %}
+    </li>
+  {% endfor %}
+</ul>
\ No newline at end of file
diff --git a/component_catalog/templates/component_catalog/tables/vulnerability_list_table.html b/component_catalog/templates/component_catalog/tables/vulnerability_list_table.html
new file mode 100644
index 00000000..c6da9176
--- /dev/null
+++ b/component_catalog/templates/component_catalog/tables/vulnerability_list_table.html
@@ -0,0 +1,70 @@
+{% load i18n %}
+{% load inject_preserved_filters from dje_tags %}
+{% load urlize_target_blank from dje_tags %}
+{% load naturaltime_short from dje_tags %}
+
+<table id="object-list-table" class="table table-bordered table-striped table-md text-break vulnerabilities-table">
+  {% include 'includes/object_list_table_header.html' %}
+  <tbody>
+  {% for vulnerability in object_list %}
+    <tr>
+      <td>
+        <strong>
+          <a href="{{ vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+            {{ vulnerability.vulnerability_id }}
+            <i class="fa-solid fa-up-right-from-square mini"></i>
+          </a>
+        </strong>
+      </td>
+      <td>
+        {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
+      </td>
+      <td>
+        {% if vulnerability.min_score %}
+          {{ vulnerability.min_score }} -
+        {% endif %}
+        {% if vulnerability.max_score %}
+          <strong>
+            {{ vulnerability.max_score }}
+          </strong>
+        {% endif %}
+      </td>
+      <td>
+        {% if vulnerability.summary %}
+          {% if vulnerability.summary|length > 120 %}
+            <details>
+              <summary>{{ vulnerability.summary|slice:":120" }}...</summary>
+              {{ vulnerability.summary|slice:"120:" }}
+            </details>
+          {% else %}
+            {{ vulnerability.summary }}
+          {% endif %}
+        {% endif %}
+      </td>
+      <td>
+        {% if vulnerability.affected_products_count %}
+          <a href="{% url 'product_portfolio:product_list' %}?affected_by={{ vulnerability.vulnerability_id }}">
+            {{ vulnerability.affected_products_count }}
+          </a>
+        {% else %}
+          0
+        {% endif %}
+      </td>
+      <td>
+        {% if vulnerability.affected_packages_count %}
+          <a href="{% url 'component_catalog:package_list' %}?affected_by={{ vulnerability.vulnerability_id }}">
+            {{ vulnerability.affected_packages_count }}
+          </a>
+        {% else %}
+          0
+        {% endif %}
+      </td>
+      <td>
+        {{ vulnerability.fixed_packages_count }}
+      </td>
+    </tr>
+  {% empty %}
+    <tr><td colspan="10">No results.</td></tr>
+  {% endfor %}
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html b/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
index 9f29dea3..dbca137d 100644
--- a/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
+++ b/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
@@ -37,24 +37,7 @@
           {{ vulnerability.summary }}
         </td>
         <td>
-          {% for alias in vulnerability.aliases %}
-            {% if alias|slice:":3" == "CVE" %}
-              <a href="https://nvd.nist.gov/vuln/detail/{{ alias }}" target="_blank">{{ alias }}
-                <i class="fa-solid fa-up-right-from-square mini"></i>
-              </a>
-            {% elif alias|slice:":4" == "GHSA" %}
-              <a href="https://github.com/advisories/{{ alias }}" target="_blank">{{ alias }}
-                <i class="fa-solid fa-up-right-from-square mini"></i>
-              </a>
-            {% elif alias|slice:":3" == "NPM" %}
-              <a href="https://github.com/nodejs/security-wg/blob/main/vuln/npm/{{ alias|slice:"4:" }}.json" target="_blank">{{ alias }}
-                <i class="fa-solid fa-up-right-from-square mini"></i>
-              </a>
-            {% else %}
-              {{ alias }}
-            {% endif %}
-            <br>
-          {% endfor %}
+           {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
         </td>
         <td>
           {% if vulnerability.fixed_packages_html %}
diff --git a/component_catalog/templates/component_catalog/vulnerability_list.html b/component_catalog/templates/component_catalog/vulnerability_list.html
new file mode 100644
index 00000000..ec99b8a0
--- /dev/null
+++ b/component_catalog/templates/component_catalog/vulnerability_list.html
@@ -0,0 +1,23 @@
+{% extends 'object_list_base.html' %}
+{% load i18n %}
+
+{% block page_title %}{% trans "Vulnerabilities" %}{% endblock %}
+
+{% block nav-list-head %}
+  {{ block.super }}
+  <li class="nav-item mt-1 ms-3">
+    <form class="form-search">
+      <div class="input-group input-group-sm">
+        <input type="text" class="form-control" name="q" value="{{ search_query|default_if_none:'' }}" aria-label="Search">
+        <button class="btn btn-outline-dark" type="submit">Search</button>
+      </div>
+    </form>
+  </li>
+{% endblock %}
+
+{% block top-right-buttons %}
+  {{ block.super }}
+  <div class="btn-group">
+    {{ filter.form.sort }}
+  </div>
+{% endblock %}
\ No newline at end of file
diff --git a/component_catalog/tests/__init__.py b/component_catalog/tests/__init__.py
index 8b27d87e..f94e5fc5 100644
--- a/component_catalog/tests/__init__.py
+++ b/component_catalog/tests/__init__.py
@@ -6,22 +6,16 @@
 # See https://aboutcode.org for more information about AboutCode FOSS projects.
 #
 
-import random
-import string
-
 from component_catalog.models import Component
 from component_catalog.models import Package
 from component_catalog.models import Vulnerability
-
-
-def make_string(length):
-    return "".join(random.choices(string.ascii_letters, k=length))
+from dje.tests import make_string
 
 
 def make_package(dataspace, package_url=None, is_vulnerable=False, **data):
     """Create a package for test purposes."""
     if not package_url and "filename" not in data:
-        data["filename"] = make_string(10)
+        data["filename"] = f"package-{make_string(10)}"
 
     package = Package(dataspace=dataspace, **data)
     if package_url:
@@ -37,7 +31,7 @@ def make_package(dataspace, package_url=None, is_vulnerable=False, **data):
 def make_component(dataspace, is_vulnerable=False, **data):
     """Create a component for test purposes."""
     if "name" not in data:
-        data["name"] = make_string(10)
+        data["name"] = f"component-{make_string(10)}"
 
     component = Component.objects.create(
         dataspace=dataspace,
@@ -53,7 +47,7 @@ def make_component(dataspace, is_vulnerable=False, **data):
 def make_vulnerability(dataspace, affecting=None, **data):
     """Create a vulnerability for test purposes."""
     if "vulnerability_id" not in data:
-        data["vulnerability_id"] = f"VCID-0000-{random.randint(1, 9999):04}"
+        data["vulnerability_id"] = f"VCID-0000-{make_string(4)}"
 
     vulnerability = Vulnerability.objects.create(
         dataspace=dataspace,
diff --git a/component_catalog/tests/test_filters.py b/component_catalog/tests/test_filters.py
index 1899b7b4..61ee9b76 100644
--- a/component_catalog/tests/test_filters.py
+++ b/component_catalog/tests/test_filters.py
@@ -14,11 +14,13 @@
 
 from component_catalog.filters import ComponentFilterSet
 from component_catalog.filters import PackageFilterSet
+from component_catalog.filters import VulnerabilityFilterSet
 from component_catalog.models import Component
 from component_catalog.models import ComponentKeyword
 from component_catalog.models import ComponentType
 from component_catalog.tests import make_component
 from component_catalog.tests import make_package
+from component_catalog.tests import make_vulnerability
 from dje.models import Dataspace
 from dje.tests import create_superuser
 from dje.tests import create_user
@@ -283,7 +285,7 @@ def test_component_filterset_sort_keeps_default_ordering_from_model(self):
         )
 
 
-class PackageFilterSearchTestCase(TestCase):
+class PackageFilterSetTestCase(TestCase):
     def sorted_results(self, qs):
         return sorted([str(package) for package in qs])
 
@@ -380,9 +382,7 @@ def test_package_filterset_search_match_order_on_purl_fields(self):
         self.assertEqual(sorted(expected), self.sorted_results(filterset.qs))
 
     def test_package_filterset_is_vulnerable_filter(self):
-        package1 = make_package(
-            self.dataspace, package_url="pkg:pypi/django@5.0", is_vulnerable=True
-        )
+        package1 = make_package(self.dataspace, is_vulnerable=True)
         self.assertTrue(package1.is_vulnerable)
 
         filterset = PackageFilterSet(dataspace=self.dataspace)
@@ -395,3 +395,73 @@ def test_package_filterset_is_vulnerable_filter(self):
         data = {"is_vulnerable": "no"}
         filterset = PackageFilterSet(dataspace=self.dataspace, data=data)
         self.assertNotIn(package1, filterset.qs)
+
+    def test_package_filterset_affected_by_filter(self):
+        package1 = make_package(self.dataspace)
+        package2 = make_package(self.dataspace)
+        vulnerability1 = make_vulnerability(self.dataspace, affecting=package1)
+        self.assertTrue(package1.is_vulnerable)
+        self.assertFalse(package2.is_vulnerable)
+
+        filterset = PackageFilterSet(dataspace=self.dataspace)
+        self.assertIn(package1, filterset.qs)
+        self.assertIn(package2, filterset.qs)
+
+        data = {"affected_by": vulnerability1.vulnerability_id}
+        filterset = PackageFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [package1])
+
+
+class VulnerabilityFilterSetTestCase(TestCase):
+    def setUp(self):
+        self.dataspace = Dataspace.objects.create(name="Reference")
+        self.vulnerability1 = make_vulnerability(self.dataspace, max_score=10.0)
+        self.vulnerability2 = make_vulnerability(
+            self.dataspace, max_score=5.5, aliases=["ALIAS-V2"]
+        )
+        self.vulnerability3 = make_vulnerability(self.dataspace, max_score=2.0)
+        self.vulnerability4 = make_vulnerability(self.dataspace, max_score=None)
+
+    def test_vulnerability_filterset_search(self):
+        data = {"q": self.vulnerability1.vulnerability_id}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [self.vulnerability1])
+
+        data = {"q": "ALIAS-V2"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [self.vulnerability2])
+
+    def test_vulnerability_filterset_sort_nulls_last_ordering(self):
+        data = {"sort": "max_score"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        expected = [
+            self.vulnerability3,
+            self.vulnerability2,
+            self.vulnerability1,
+            self.vulnerability4,  # The max_score=None are always last
+        ]
+        self.assertQuerySetEqual(filterset.qs, expected)
+
+        data = {"sort": "-max_score"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        expected = [
+            self.vulnerability1,
+            self.vulnerability2,
+            self.vulnerability3,
+            self.vulnerability4,  # The max_score=None are always last
+        ]
+        self.assertQuerySetEqual(filterset.qs, expected)
+
+    def test_vulnerability_filterset_max_score(self):
+        data = {"max_score": "critical"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [self.vulnerability1])
+        data = {"max_score": "high"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [])
+        data = {"max_score": "medium"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [self.vulnerability2])
+        data = {"max_score": "low"}
+        filterset = VulnerabilityFilterSet(dataspace=self.dataspace, data=data)
+        self.assertQuerySetEqual(filterset.qs, [self.vulnerability3])
diff --git a/component_catalog/tests/test_models.py b/component_catalog/tests/test_models.py
index 0fedc6cd..1cdb302e 100644
--- a/component_catalog/tests/test_models.py
+++ b/component_catalog/tests/test_models.py
@@ -58,9 +58,7 @@
 from license_library.models import LicenseChoice
 from license_library.models import LicenseTag
 from organization.models import Owner
-from product_portfolio.models import Product
-from product_portfolio.models import ProductComponent
-from product_portfolio.models import ProductPackage
+from product_portfolio.tests import make_product
 
 
 class ComponentCatalogModelsTestCase(TestCase):
@@ -2490,11 +2488,7 @@ def test_package_create_save_set_usage_policy_from_license(self):
         self.assertEqual(package_policy, package5.usage_policy)
 
     def test_component_model_where_used_property(self):
-        product1 = Product.objects.create(name="P1", dataspace=self.dataspace)
-        ProductComponent.objects.create(
-            product=product1, component=self.component1, dataspace=self.dataspace
-        )
-
+        make_product(self.dataspace, inventory=[self.component1])
         basic_user = create_user("basic_user", self.dataspace)
         self.assertEqual("Product 0\n", self.component1.where_used(user=basic_user))
 
@@ -2502,9 +2496,8 @@ def test_component_model_where_used_property(self):
         self.assertEqual("Product 1\n", self.component1.where_used(user=self.user))
 
     def test_package_model_where_used_property(self):
-        product1 = Product.objects.create(name="P1", dataspace=self.dataspace)
         package1 = Package.objects.create(filename="package", dataspace=self.dataspace)
-        ProductPackage.objects.create(product=product1, package=package1, dataspace=self.dataspace)
+        make_product(self.dataspace, inventory=[package1])
 
         basic_user = create_user("basic_user", self.dataspace)
         self.assertEqual("Product 0\nComponent 0\n", package1.where_used(user=basic_user))
@@ -2623,6 +2616,18 @@ def test_vulnerability_model_add_affected(self):
         self.assertQuerySetEqual(vulnerablity2.affected_packages.all(), [package1])
         self.assertQuerySetEqual(vulnerablity2.affected_components.all(), [component1])
 
+    def test_vulnerability_model_fixed_packages_count_generated_field(self):
+        vulnerablity1 = make_vulnerability(dataspace=self.dataspace)
+        self.assertEqual(0, vulnerablity1.fixed_packages_count)
+
+        vulnerablity1.fixed_packages = [
+            {"purl": "pkg:pypi/gitpython@3.1.41", "is_vulnerable": True},
+            {"purl": "pkg:pypi/gitpython@3.2", "is_vulnerable": False},
+        ]
+        vulnerablity1.save()
+        vulnerablity1.refresh_from_db()
+        self.assertEqual(2, vulnerablity1.fixed_packages_count)
+
     def test_vulnerability_model_create_from_data(self):
         package1 = make_package(self.dataspace)
         vulnerability_data = {
@@ -2654,4 +2659,32 @@ def test_vulnerability_model_create_from_data(self):
         self.assertEqual(vulnerability_data["summary"], vulnerability1.summary)
         self.assertEqual(vulnerability_data["aliases"], vulnerability1.aliases)
         self.assertEqual(vulnerability_data["references"], vulnerability1.references)
+        self.assertEqual(7.5, vulnerability1.min_score)
+        self.assertEqual(7.5, vulnerability1.max_score)
         self.assertQuerySetEqual(vulnerability1.affected_packages.all(), [package1])
+
+    def test_vulnerability_model_create_from_data_computed_scores(self):
+        response_file = self.data / "vulnerabilities" / "idna_3.6_response.json"
+        json_data = json.loads(response_file.read_text())
+        affected_by_vulnerabilities = json_data["results"][0]["affected_by_vulnerabilities"]
+        vulnerability1 = Vulnerability.create_from_data(
+            dataspace=self.dataspace,
+            data=affected_by_vulnerabilities[0],
+        )
+        self.assertEqual(2.1, vulnerability1.min_score)
+        self.assertEqual(7.5, vulnerability1.max_score)
+
+    def test_vulnerability_model_queryset_count_methods(self):
+        package1 = make_package(self.dataspace)
+        package2 = make_package(self.dataspace)
+        vulnerablity1 = make_vulnerability(dataspace=self.dataspace)
+        vulnerablity1.add_affected([package1, package2])
+        make_product(self.dataspace, inventory=[package1, package2])
+
+        qs = (
+            Vulnerability.objects.scope(self.dataspace)
+            .with_affected_products_count()
+            .with_affected_packages_count()
+        )
+        self.assertEqual(2, qs[0].affected_packages_count)
+        self.assertEqual(1, qs[0].affected_products_count)
diff --git a/component_catalog/tests/test_views.py b/component_catalog/tests/test_views.py
index f1c040c3..78f8b79d 100644
--- a/component_catalog/tests/test_views.py
+++ b/component_catalog/tests/test_views.py
@@ -39,6 +39,9 @@
 from component_catalog.models import ComponentType
 from component_catalog.models import Package
 from component_catalog.models import Subcomponent
+from component_catalog.models import Vulnerability
+from component_catalog.tests import make_component
+from component_catalog.tests import make_package
 from component_catalog.tests import make_vulnerability
 from component_catalog.views import ComponentAddView
 from component_catalog.views import ComponentListView
@@ -48,6 +51,7 @@
 from dejacode_toolkit.vulnerablecode import get_plain_purls
 from dje.copier import copy_object
 from dje.models import Dataspace
+from dje.models import DataspaceConfiguration
 from dje.models import ExternalReference
 from dje.models import ExternalSource
 from dje.models import History
@@ -4811,3 +4815,63 @@ def test_anonymous_user_cannot_access_reference_data(self):
         self.assertEqual(404, self.client.get(self.d1c2.get_absolute_url()).status_code)
         self.assertEqual(200, self.client.get(self.dmc1.get_absolute_url()).status_code)
         self.assertEqual(200, self.client.get(self.dmc2.get_absolute_url()).status_code)
+
+
+class VulnerabilityViewsTestCase(TestCase):
+    def setUp(self):
+        self.dataspace = Dataspace.objects.create(
+            name="Dataspace",
+            enable_vulnerablecodedb_access=True,
+        )
+        DataspaceConfiguration.objects.create(
+            dataspace=self.dataspace,
+            vulnerablecode_url="vulnerablecode_url/",
+        )
+        self.super_user = create_superuser("super_user", self.dataspace)
+
+        self.component1 = make_component(self.dataspace)
+        self.component2 = make_component(self.dataspace)
+        self.package1 = make_package(self.dataspace)
+        self.package2 = make_package(self.dataspace)
+        self.vulnerability_p1 = make_vulnerability(self.dataspace, affecting=self.component1)
+        self.vulnerability_c1 = make_vulnerability(self.dataspace, affecting=self.package1)
+        self.vulnerability1 = make_vulnerability(self.dataspace)
+
+    def test_vulnerability_list_view_num_queries(self):
+        self.client.login(username=self.super_user.username, password="secret")
+        with self.assertNumQueries(8):
+            response = self.client.get(reverse("component_catalog:vulnerability_list"))
+
+        vulnerability_count = Vulnerability.objects.count()
+        expected = f'<a class="nav-link disabled">{vulnerability_count} results</a>'
+        self.assertContains(response, expected, html=True)
+
+    def test_vulnerability_list_view_enable_vulnerablecodedb_access(self):
+        self.client.login(username=self.super_user.username, password="secret")
+        vulnerability_list_url = reverse("component_catalog:vulnerability_list")
+        response = self.client.get(vulnerability_list_url)
+        self.assertEqual(200, response.status_code)
+        vulnerability_header_link = (
+            f'<a class="dropdown-item active" href="{vulnerability_list_url}">'
+        )
+        self.assertContains(response, vulnerability_header_link)
+
+        self.dataspace.enable_vulnerablecodedb_access = False
+        self.dataspace.save()
+        response = self.client.get(reverse("component_catalog:vulnerability_list"))
+        self.assertEqual(404, response.status_code)
+
+        response = self.client.get(reverse("component_catalog:package_list"))
+        self.assertNotContains(response, vulnerability_header_link)
+
+    def test_vulnerability_list_view_vulnerability_id_link(self):
+        self.client.login(username=self.super_user.username, password="secret")
+        response = self.client.get(reverse("component_catalog:vulnerability_list"))
+        expected = f"""
+        <a href="vulnerablecode_url/vulnerabilities/{self.vulnerability1.vulnerability_id}"
+           target="_blank">
+           {self.vulnerability1.vulnerability_id}
+           <i class="fa-solid fa-up-right-from-square mini"></i>
+        </a>
+        """
+        self.assertContains(response, expected, html=True)
diff --git a/component_catalog/urls.py b/component_catalog/urls.py
index 53ff217a..50e87277 100644
--- a/component_catalog/urls.py
+++ b/component_catalog/urls.py
@@ -21,6 +21,7 @@
 from component_catalog.views import PackageTabScanView
 from component_catalog.views import PackageUpdateView
 from component_catalog.views import ScanListView
+from component_catalog.views import VulnerabilityListView
 from component_catalog.views import component_create_ajax_view
 from component_catalog.views import delete_scan_view
 from component_catalog.views import package_create_ajax_view
@@ -148,6 +149,14 @@
     ),
 ]
 
+vulnerabilities_patterns = [
+    path(
+        "vulnerabilities/",
+        VulnerabilityListView.as_view(),
+        name="vulnerability_list",
+    ),
+]
+
 
 # WARNING: we moved the components/ patterns from the include to the following
 # since we need the packages/ and scans/ to be register on the root "/"
@@ -239,4 +248,4 @@ def component_path(path_segment, view):
 ]
 
 
-urlpatterns = packages_patterns + component_patterns + scans_patterns
+urlpatterns = packages_patterns + component_patterns + scans_patterns + vulnerabilities_patterns
diff --git a/component_catalog/views.py b/component_catalog/views.py
index 572296ca..aa703af2 100644
--- a/component_catalog/views.py
+++ b/component_catalog/views.py
@@ -22,6 +22,7 @@
 from django.core import signing
 from django.core.validators import EMPTY_VALUES
 from django.db.models import Count
+from django.db.models import F
 from django.db.models import Prefetch
 from django.http import FileResponse
 from django.http import Http404
@@ -52,6 +53,7 @@
 
 from component_catalog.filters import ComponentFilterSet
 from component_catalog.filters import PackageFilterSet
+from component_catalog.filters import VulnerabilityFilterSet
 from component_catalog.forms import AddMultipleToComponentForm
 from component_catalog.forms import AddToComponentForm
 from component_catalog.forms import AddToProductAdminForm
@@ -71,6 +73,7 @@
 from component_catalog.models import Package
 from component_catalog.models import PackageAlreadyExistsWarning
 from component_catalog.models import Subcomponent
+from component_catalog.models import Vulnerability
 from dejacode_toolkit.download import DataCollectionException
 from dejacode_toolkit.purldb import PurlDB
 from dejacode_toolkit.scancodeio import ScanCodeIO
@@ -2476,3 +2479,57 @@ def get_tab_fields(self):
             tab_fields.extend(get_purldb_tab_fields(purldb_entry, user.dataspace))
 
         return {"fields": tab_fields}
+
+
+class VulnerabilityListView(
+    LoginRequiredMixin,
+    DataspacedFilterView,
+):
+    model = Vulnerability
+    filterset_class = VulnerabilityFilterSet
+    template_name = "component_catalog/vulnerability_list.html"
+    template_list_table = "component_catalog/tables/vulnerability_list_table.html"
+    table_headers = (
+        Header("vulnerability_id", _("Vulnerability")),
+        Header("aliases", _("Aliases")),
+        # Keep `max_score` to enable column sorting
+        Header("max_score", _("Score"), help_text="Severity score range", filter="max_score"),
+        Header("summary", _("Summary")),
+        Header("affected_products_count", _("Affected products"), help_text="Affected products"),
+        Header("affected_packages_count", _("Affected packages"), help_text="Affected packages"),
+        Header("fixed_packages_count", _("Fixed by"), help_text="Fixed by packages"),
+    )
+
+    def get_queryset(self):
+        return (
+            super()
+            .get_queryset()
+            .only(
+                "uuid",
+                "vulnerability_id",
+                "aliases",
+                "summary",
+                "fixed_packages_count",
+                "max_score",
+                "min_score",
+                "created_date",
+                "last_modified_date",
+                "dataspace",
+            )
+            .with_affected_products_count()
+            .with_affected_packages_count()
+            .order_by(
+                F("max_score").desc(nulls_last=True),
+                "-min_score",
+            )
+        )
+
+    def get_context_data(self, **kwargs):
+        context_data = super().get_context_data(**kwargs)
+
+        if not self.dataspace.enable_vulnerablecodedb_access:
+            raise Http404("VulnerableCode access is not enabled.")
+
+        vulnerablecode = VulnerableCode(self.dataspace)
+        context_data["vulnerablecode_url"] = vulnerablecode.service_url
+        return context_data
diff --git a/dejacode/static/css/dejacode_bootstrap.css b/dejacode/static/css/dejacode_bootstrap.css
index 26bf7b52..c344a404 100644
--- a/dejacode/static/css/dejacode_bootstrap.css
+++ b/dejacode/static/css/dejacode_bootstrap.css
@@ -358,6 +358,24 @@ table.packages-table .column-primary_language {
   margin-right: 0.3rem;
 }
 
+/* -- Vulnerability List -- */
+table.vulnerabilities-table .column-vulnerability_id {
+  width: 220px;
+}
+table.vulnerabilities-table .column-aliases {
+  width: 210px;
+}
+table.vulnerabilities-table .column-score_range {
+  width: 110px;
+}
+table.vulnerabilities-table .column-priority {
+  width: 110px;
+}
+table.vulnerabilities-table .column-summary {
+  width: 300px;
+  max-width: 300px;
+}
+
 /* -- Package Details -- */
 textarea.licenseexpressionwidget {
   height: 62px;
diff --git a/dje/templates/admin/base_site.html b/dje/templates/admin/base_site.html
index 8c7ca25a..ae0db44c 100644
--- a/dje/templates/admin/base_site.html
+++ b/dje/templates/admin/base_site.html
@@ -42,6 +42,7 @@ <h1 id="grp-admin-title">
     {% url 'workflow:request_list' as request_list_url %}
     {% url 'component_catalog:scan_list' as scan_list_url %}
     {% url 'purldb:purldb_list' as purldb_list_url %}
+    {% url 'component_catalog:vulnerability_list' as vulnerability_list_url %}
     {% url 'api_v2:api-root' as api_root_url %}
     {% if report_list_url or request_list_url or api_root_url %}
         <li class="grp-collapse grp-closed">
@@ -64,6 +65,10 @@ <h1 id="grp-admin-title">
                       <li><a href="{{ purldb_list_url }}">{% trans 'PurlDB' %}</a></li>
                   {% endif %}
                 {% endif %}
+                {% if user.dataspace.enable_vulnerablecodedb_access %}
+                    <li class="nav-header">{% trans 'Vulnerabilities' %}</li>
+                    <li><a href="{{ vulnerability_list_url }}">{% trans 'Vulnerabilities' %}</a></li>
+                {% endif %}
                 {% if api_root_url %}
                     <li class="nav-header">{% trans 'API' %}</li>
                     <li><a href="{{ api_root_url }}">{% trans 'API Root' %}</a></li>
diff --git a/dje/templates/includes/navbar_header.html b/dje/templates/includes/navbar_header.html
index a4c283c6..44948a75 100644
--- a/dje/templates/includes/navbar_header.html
+++ b/dje/templates/includes/navbar_header.html
@@ -11,6 +11,7 @@
 {% url 'workflow:request_list' as request_list_url %}
 {% url 'component_catalog:scan_list' as scan_list_url %}
 {% url 'purldb:purldb_list' as purldb_list_url %}
+{% url 'component_catalog:vulnerability_list' as vulnerability_list_url %}
 {% url 'django_registration_register' as register_url %}
 {% url 'api_v2:api-root' as api_root_url %}
 {% url 'account_profile' as account_profile_url %}
diff --git a/dje/templates/includes/navbar_header_tools_menu.html b/dje/templates/includes/navbar_header_tools_menu.html
index 133cb0b6..28b4f707 100644
--- a/dje/templates/includes/navbar_header_tools_menu.html
+++ b/dje/templates/includes/navbar_header_tools_menu.html
@@ -32,6 +32,14 @@
           </a>
         {% endif %}
       {% endif %}
+      {% if user.dataspace.enable_vulnerablecodedb_access %}
+        <div class="dropdown-divider"></div>
+        <div class="dropdown-header">{% trans 'Vulnerabilities' %}</div>
+        <a class="dropdown-item{% if vulnerability_list_url in request.path %} active{% endif %}" href="{{ vulnerability_list_url }}">
+          <i class="fas fa-bug"></i>
+          {% trans 'Vulnerabilities' %}
+        </a>
+      {% endif %}
       <div class="dropdown-divider"></div>
       <div class="dropdown-header">API</div>
       <a class="dropdown-item" href="{{ api_root_url }}">
diff --git a/purldb/templates/purldb/includes/filterset_modal.html b/dje/templates/modals/filterset_modal.html
similarity index 72%
rename from purldb/templates/purldb/includes/filterset_modal.html
rename to dje/templates/modals/filterset_modal.html
index 6aabba38..86f86e29 100644
--- a/purldb/templates/purldb/includes/filterset_modal.html
+++ b/dje/templates/modals/filterset_modal.html
@@ -1,14 +1,14 @@
 {% load crispy_forms_tags %}
-<div id="purldb-filterset-modal" class="modal" tabindex="-1" role="dialog">
+<div id="filterset-modal" class="modal" tabindex="-1" role="dialog">
   <div class="modal-dialog modal-lg" role="document">
     <div class="modal-content">
       <div class="modal-header">
         <h5 class="modal-title">Filters</h5>
         <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
       </div>
-      <form autocomplete="off" method="{{ form_helper.form_method }}" class="{{ form_helper.form_class }}">
+      <form autocomplete="off" method="{{ filter_form_helper.form_method }}" class="{{ filter_form_helper.form_class }}">
         <div class="modal-body bg-body-tertiary">
-          {% crispy filter.form form_helper %}
+          {% crispy filter.form filter_form_helper %}
         </div>
         <div class="modal-footer">
           <input type="button" name="close" value="Close" class="btn btn-secondary" data-bs-dismiss="modal">
diff --git a/dje/tests/__init__.py b/dje/tests/__init__.py
index 6594511b..0cb161b8 100644
--- a/dje/tests/__init__.py
+++ b/dje/tests/__init__.py
@@ -6,6 +6,8 @@
 # See https://aboutcode.org for more information about AboutCode FOSS projects.
 #
 
+import random
+import string
 import sys
 from importlib import reload
 
@@ -23,6 +25,10 @@
 User = get_user_model()
 
 
+def make_string(length):
+    return "".join(random.choices(string.ascii_letters, k=length))
+
+
 def create(model, dataspace, **kwargs):
     """Wrap the `model_bakery.baker.make` to add a required `dataspace` argument."""
     return baker.make(model, dataspace=dataspace, **kwargs)
diff --git a/product_portfolio/filters.py b/product_portfolio/filters.py
index 6bc89b39..b84f6236 100644
--- a/product_portfolio/filters.py
+++ b/product_portfolio/filters.py
@@ -102,6 +102,10 @@ class ProductFilterSet(DataspacedFilterSet):
             search_placeholder="Search keywords",
         ),
     )
+    affected_by = django_filters.CharFilter(
+        field_name="packages__affected_by_vulnerabilities__vulnerability_id",
+        label=_("Affected by"),
+    )
 
     class Meta:
         model = Product
diff --git a/product_portfolio/tests/__init__.py b/product_portfolio/tests/__init__.py
index f61c4aae..7c7b3ddd 100644
--- a/product_portfolio/tests/__init__.py
+++ b/product_portfolio/tests/__init__.py
@@ -5,3 +5,35 @@
 # See https://github.com/aboutcode-org/dejacode for support or download.
 # See https://aboutcode.org for more information about AboutCode FOSS projects.
 #
+
+from component_catalog.models import Component
+from component_catalog.models import Package
+from dje.tests import make_string
+from product_portfolio.models import Product
+from product_portfolio.models import ProductComponent
+from product_portfolio.models import ProductPackage
+
+
+def make_product(dataspace, inventory=None, **data):
+    """Create a product for test purposes."""
+    if "name" not in data:
+        data["name"] = f"product-{make_string(10)}"
+
+    product = Product.objects.create(
+        dataspace=dataspace,
+        **data,
+    )
+
+    inventory = inventory or []
+    if not isinstance(inventory, list):
+        inventory = [inventory]
+
+    for instance in inventory:
+        if isinstance(instance, Package):
+            ProductPackage.objects.create(product=product, package=instance, dataspace=dataspace)
+        if isinstance(instance, Component):
+            ProductComponent.objects.create(
+                product=product, component=instance, dataspace=dataspace
+            )
+
+    return product
diff --git a/purldb/templates/purldb/purldb_list.html b/purldb/templates/purldb/purldb_list.html
index 4398a286..49947af6 100644
--- a/purldb/templates/purldb/purldb_list.html
+++ b/purldb/templates/purldb/purldb_list.html
@@ -18,11 +18,11 @@
 {% block top-right-buttons %}
   {{ block.super }}
    <div class="btn-group">
-    <button type="button" class="btn btn-outline-dark {% if filter.form.changed_data %}active{% endif %}" data-bs-toggle="modal" data-bs-target="#purldb-filterset-modal"><i class="fas fa-filter"></i> Filters</button>
+    <button type="button" class="btn btn-outline-dark {% if filter.form.changed_data %}active{% endif %}" data-bs-toggle="modal" data-bs-target="#filterset-modal"><i class="fas fa-filter"></i> Filters</button>
   </div>
 {% endblock %}
 
 {% block content %}
   {{ block.super }}
-  {% include 'purldb/includes/filterset_modal.html' %}
+  {% include 'modals/filterset_modal.html' %}
 {% endblock %}
\ No newline at end of file
diff --git a/purldb/tests/test_views.py b/purldb/tests/test_views.py
index 5737c4eb..23e0d3fd 100644
--- a/purldb/tests/test_views.py
+++ b/purldb/tests/test_views.py
@@ -199,8 +199,8 @@ def test_purldb_list_view_filters(self):
         self.client.login(username=self.nexb_user.username, password="secret")
 
         response = self.client.get(list_url + "?sort=-name&type=pypi")
-        self.assertContains(response, 'data-bs-target="#purldb-filterset-modal"')
-        self.assertContains(response, 'id="purldb-filterset-modal"')
+        self.assertContains(response, 'data-bs-target="#filterset-modal"')
+        self.assertContains(response, 'id="filterset-modal"')
         self.assertContains(
             response, '<option value="-name" selected>Name (descending)</option>', html=True
         )
diff --git a/purldb/views.py b/purldb/views.py
index d568310b..1c4233d8 100644
--- a/purldb/views.py
+++ b/purldb/views.py
@@ -178,7 +178,7 @@ def get_queryset(self):
         return self.list_data.get("results", [])
 
     @staticmethod
-    def get_form_helper():
+    def get_filter_form_helper():
         helper = FormHelper()
         helper.form_method = "get"
         helper.form_tag = False
@@ -200,7 +200,7 @@ def get_context_data(self, **kwargs):
         )
 
         context["filter"] = self.filterset
-        context["form_helper"] = self.get_form_helper()
+        context["filter_form_helper"] = self.get_filter_form_helper()
 
         return context
 

From 08f9367be06bb35f0cdfee0017a3623ef3f7e2b0 Mon Sep 17 00:00:00 2001
From: tdruez <489057+tdruez@users.noreply.github.com>
Date: Wed, 28 Aug 2024 15:16:43 +0400
Subject: [PATCH 6/7] =?UTF-8?q?Fix=20an=20issue=20with=20vulnerability=20m?=
 =?UTF-8?q?2m=20when=20copying=20a=20package/component=20=E2=80=A6=20(#172?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: tdruez <tdruez@nexb.com>
---
 component_catalog/tests/test_copy.py | 55 ++++++++++++++++++++++++++++
 dje/copier.py                        |  9 +++++
 dje/views.py                         | 14 ++++---
 3 files changed, 73 insertions(+), 5 deletions(-)
 create mode 100644 component_catalog/tests/test_copy.py

diff --git a/component_catalog/tests/test_copy.py b/component_catalog/tests/test_copy.py
new file mode 100644
index 00000000..ae7c326a
--- /dev/null
+++ b/component_catalog/tests/test_copy.py
@@ -0,0 +1,55 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# DejaCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: AGPL-3.0-only
+# See https://github.com/aboutcode-org/dejacode for support or download.
+# See https://aboutcode.org for more information about AboutCode FOSS projects.
+#
+
+from django.contrib.contenttypes.models import ContentType
+from django.test import TestCase
+from django.urls import reverse
+
+from component_catalog.models import Package
+from component_catalog.models import PackageAssignedLicense
+from component_catalog.models import Vulnerability
+from component_catalog.tests import make_package
+from dje.models import Dataspace
+from dje.tests import create_superuser
+
+
+class ComponentCatalogCopyTestCase(TestCase):
+    def setUp(self):
+        self.dataspace = Dataspace.objects.create(name="nexB")
+        self.target_dataspace = Dataspace.objects.create(name="Target")
+        self.super_user = create_superuser("super_user", self.dataspace)
+
+    def test_component_catalog_admin_copy_view_vulnerable_package(self):
+        package1 = make_package(self.dataspace, is_vulnerable=True)
+        self.assertEqual(1, package1.affected_by_vulnerabilities.count())
+
+        self.client.login(username=self.super_user.username, password="secret")
+        url = reverse("admin:component_catalog_package_copy")
+        data = {
+            "ids": str(package1.id),
+            "target": self.target_dataspace.id,
+        }
+        response = self.client.get(url, data, follow=True)
+        self.assertContains(response, "Copy the following Packages")
+
+        data = {
+            "ct": str(ContentType.objects.get_for_model(Package).pk),
+            "copy_candidates": package1.id,
+            "source": self.dataspace.id,
+            "targets": self.target_dataspace.id,
+            "form-TOTAL_FORMS": 1,
+            "form-INITIAL_FORMS": 1,
+            "form-0-ct": ContentType.objects.get_for_model(PackageAssignedLicense).pk,
+        }
+        self.client.post(url, data)
+        response = self.client.post(url, data, follow=True)
+        self.assertEqual(200, response.status_code)
+
+        copied_package1 = Package.objects.scope(self.target_dataspace).get()
+        self.assertEqual(0, copied_package1.affected_by_vulnerabilities.count())
+        self.assertEqual(0, Vulnerability.objects.scope(self.target_dataspace).count())
diff --git a/dje/copier.py b/dje/copier.py
index 758c23cb..385d510c 100644
--- a/dje/copier.py
+++ b/dje/copier.py
@@ -65,6 +65,7 @@
     "scanned_by",
     "project_uuid",
     "default_assignee",
+    "affected_by_vulnerabilities",
 ]
 
 
@@ -199,6 +200,11 @@ def copy_to(reference_obj, target_dataspace, user, **kwargs):
             field = reference_obj._meta.get_field(field_name)
         except FieldDoesNotExist:
             continue
+
+        # Simply skip many_to_many fields.
+        if field.many_to_many:
+            continue
+
         # get_default Return None or empty string (depending on the Field type)
         # if no default value was declared.
         setattr(target_obj, field_name, field.get_default())
@@ -306,6 +312,9 @@ def copy_m2m_fields(reference_obj, target_dataspace, user, update=False, **kwarg
     m2m_fields = reference_obj._meta.many_to_many
 
     for m2m_field in m2m_fields:
+        if m2m_field.name in ALWAYS_EXCLUDE:
+            continue
+
         through_model = m2m_field.remote_field.through  # Relation Model (through table)
         m2m_field_name = m2m_field.m2m_field_name()  # FK fields names on the Relation Model
         reference_m2m_qs = through_model.objects.filter(**{m2m_field_name: reference_obj})
diff --git a/dje/views.py b/dje/views.py
index e235e6e8..59b6140c 100644
--- a/dje/views.py
+++ b/dje/views.py
@@ -79,9 +79,8 @@
 from dejacode_toolkit.purldb import PurlDB
 from dejacode_toolkit.scancodeio import ScanCodeIO
 from dejacode_toolkit.vulnerablecode import VulnerableCode
+from dje import copier
 from dje import outputs
-from dje.copier import COPY_DEFAULT_EXCLUDE
-from dje.copier import SKIP
 from dje.copier import get_object_in
 from dje.copier import get_or_create_in
 from dje.decorators import accept_anonymous
@@ -1347,6 +1346,7 @@ def object_copy_get(request, m2m_formset_class):
     m2m_initial = [
         {"ct": ContentType.objects.get_for_model(m2m_field.remote_field.through).id}
         for m2m_field in model_class._meta.many_to_many
+        if m2m_field.name not in copier.ALWAYS_EXCLUDE
     ]
 
     # Also handle relational fields if explicitly declared on the Model using the
@@ -1425,10 +1425,14 @@ def object_copy_view(request):
             skip_on_copy = cleaned_data.get("skip_on_copy")
             skip_on_update = cleaned_data.get("skip_on_update")
             exclude_copy.update(
-                {m2m_model_class: SKIP if skip_on_copy else cleaned_data.get("exclude_copy")}
+                {m2m_model_class: copier.SKIP if skip_on_copy else cleaned_data.get("exclude_copy")}
             )
             exclude_update.update(
-                {m2m_model_class: SKIP if skip_on_update else cleaned_data.get("exclude_update")}
+                {
+                    m2m_model_class: copier.SKIP
+                    if skip_on_update
+                    else cleaned_data.get("exclude_update")
+                }
             )
 
         copy_candidates = request.POST.get("copy_candidates", "")
@@ -2172,7 +2176,7 @@ def manage_copy_defaults_view(request, pk):
             for app_label in supported_apps
         ]
         formset = CopyDefaultsFormSet(initial=initial)
-        formset.load(dataspace, default=COPY_DEFAULT_EXCLUDE)
+        formset.load(dataspace, default=copier.COPY_DEFAULT_EXCLUDE)
 
     context = {
         "formset": formset,

From 45cc6bae4198b0ea0c187548d5bfaa3e0dce4051 Mon Sep 17 00:00:00 2001
From: tdruez <489057+tdruez@users.noreply.github.com>
Date: Mon, 2 Sep 2024 08:02:57 +0400
Subject: [PATCH 7/7] Add a Vulnerabilities tab in the Product details view #95
 (#173)

Signed-off-by: tdruez <tdruez@nexb.com>
---
 CHANGELOG.rst                                 |   3 +
 component_catalog/filters.py                  |   2 +-
 .../base_component_package_details.html       |   2 +-
 .../includes/vulnerability_aliases.html       |   2 +-
 .../tabs/tab_vulnerabilities.html             |  48 +++--
 dejacode/static/css/dejacode_bootstrap.css    |  31 +++
 dje/filters.py                                |   6 +-
 dje/templates/global_search.html              |   2 +-
 .../includes/object_list_table_header.html    |   6 +-
 dje/templates/notifications/list.html         |   2 +-
 dje/templates/object_details_base.html        |   4 +-
 dje/templates/object_form.html                |   2 +-
 dje/templates/tabs/pagination.html            |  30 +++
 dje/tests/test_permissions.py                 |   1 +
 dje/views.py                                  |   5 +-
 product_portfolio/filters.py                  |   2 -
 product_portfolio/models.py                   |   5 +
 .../product_portfolio/object_manage_grid.html |   4 +-
 .../product_portfolio/product_details.html    |   2 +-
 .../tabs/tab_dependencies.html                |  96 +--------
 .../tabs/tab_vulnerabilities.html             |  64 ++++++
 product_portfolio/tests/test_views.py         |  60 +++++-
 product_portfolio/urls.py                     |   2 +
 product_portfolio/views.py                    | 184 +++++++++++++++---
 .../templates/workflow/request_details.html   |   2 +-
 25 files changed, 413 insertions(+), 154 deletions(-)
 create mode 100644 dje/templates/tabs/pagination.html
 create mode 100644 product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 08df610c..9af9b172 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -104,6 +104,9 @@ Release notes
   "Add Package".
   https://github.com/aboutcode-org/dejacode/issues/163
 
+- Add a Vulnerabilities tab in the Product details view.
+  https://github.com/aboutcode-org/dejacode/issues/95
+
 ### Version 5.1.0
 
 - Upgrade Python version to 3.12 and Django to 5.0.x
diff --git a/component_catalog/filters.py b/component_catalog/filters.py
index 421c3748..6baabfda 100644
--- a/component_catalog/filters.py
+++ b/component_catalog/filters.py
@@ -355,7 +355,7 @@ class Meta:
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.filters["max_score"].extra["widget"] = DropDownRightWidget()
+        self.filters["max_score"].extra["widget"] = DropDownRightWidget(anchor=self.anchor)
 
     def filter_by_score_range(self, queryset, name, value):
         if value in vulnerability_score_ranges:
diff --git a/component_catalog/templates/component_catalog/base_component_package_details.html b/component_catalog/templates/component_catalog/base_component_package_details.html
index 8cc12c84..9fa70d9d 100644
--- a/component_catalog/templates/component_catalog/base_component_package_details.html
+++ b/component_catalog/templates/component_catalog/base_component_package_details.html
@@ -20,7 +20,7 @@
 {% block javascripts %}
   {{ block.super }}
   <script src="{% static 'awesomplete/awesomplete-1.1.5.min.js' %}" integrity="sha384-p5NIw+GEWbrK/9dC3Vuxh36c2HL0ETAXQ81nk8gl1B7FHZmXehonZWs/HBqunmCI" crossorigin="anonymous"></script>
-  <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-oTqsk3bKZbt7gvIiSLAxv/f/1zUBuzofCLQcVe+9J9s7zHhGnWfebQu3miHGT1Vc" crossorigin="anonymous"></script>
+  <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-sb1eCgSzQ43/Yt/kNTeuZ9XmmY0rfloyqPka6VPMR6ZWJsK0pTfsAnTHY7XRZUgd" crossorigin="anonymous"></script>
   <script src="{% static 'json-viewer/jquery.json-viewer-1.4.0.js' %}" integrity="sha384-mCd7P/7rxz1zpQAb195/BFZG4pDkLO6GdkRi772EZRiLTGdfnlhC74NrrwtSHvBI" crossorigin="anonymous"></script>
   {% include 'includes/dependencies-json-viewer.js.html' %}
   {% if open_add_to_package_modal %}
diff --git a/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html b/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
index e64fae7a..f03ecdeb 100644
--- a/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
+++ b/component_catalog/templates/component_catalog/includes/vulnerability_aliases.html
@@ -1,4 +1,4 @@
-<ul class="list-unstyled">
+<ul class="list-unstyled mb-0">
   {% for alias in aliases %}
     <li>
       {% if alias|slice:":3" == "CVE" %}
diff --git a/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html b/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
index dbca137d..136ef7fe 100644
--- a/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
+++ b/component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html
@@ -7,16 +7,21 @@
           {% trans 'Affected by' %}
         </span>
       </th>
-      <th>
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Summary of the vulnerability.">
-          {% trans 'Summary' %}
-        </span>
-      </th>
       <th style="width: 210px;">
         <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="A list of aliases for this vulnerability.">
           {% trans 'Aliases' %}
         </span>
       </th>
+      <th style="width: 90px;">
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Severity score range.">
+          {% trans 'Score' %}
+        </span>
+      </th>
+      <th>
+        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Summary of the vulnerability.">
+          {% trans 'Summary' %}
+        </span>
+      </th>
       <th style="min-width: 320px;">
         <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="The identifiers of Package Versions that have been reported to fix a specific vulnerability and collected in VulnerableCodeDB.">
           {% trans 'Fixed packages' %}
@@ -28,16 +33,37 @@
     {% for vulnerability in values.vulnerabilities %}
       <tr>
         <td>
-          <a href="{{ values.vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
-            {{ vulnerability.vulnerability_id }}
-            <i class="fa-solid fa-up-right-from-square mini"></i>
-          </a>
+          <strong>
+            <a href="{{ values.vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+              {{ vulnerability.vulnerability_id }}
+              <i class="fa-solid fa-up-right-from-square mini"></i>
+            </a>
+          </strong>
         </td>
         <td>
-          {{ vulnerability.summary }}
+           {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
         </td>
         <td>
-           {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
+          {% if vulnerability.min_score %}
+            {{ vulnerability.min_score }} -
+          {% endif %}
+          {% if vulnerability.max_score %}
+            <strong>
+              {{ vulnerability.max_score }}
+            </strong>
+          {% endif %}
+        </td>
+        <td>
+          {% if vulnerability.summary %}
+            {% if vulnerability.summary|length > 120 %}
+              <details>
+                <summary>{{ vulnerability.summary|slice:":120" }}...</summary>
+                {{ vulnerability.summary|slice:"120:" }}
+              </details>
+            {% else %}
+              {{ vulnerability.summary }}
+            {% endif %}
+          {% endif %}
         </td>
         <td>
           {% if vulnerability.fixed_packages_html %}
diff --git a/dejacode/static/css/dejacode_bootstrap.css b/dejacode/static/css/dejacode_bootstrap.css
index c344a404..957dcdd4 100644
--- a/dejacode/static/css/dejacode_bootstrap.css
+++ b/dejacode/static/css/dejacode_bootstrap.css
@@ -376,6 +376,37 @@ table.vulnerabilities-table .column-summary {
   max-width: 300px;
 }
 
+/* -- Vulnerability tab -- */
+#tab_vulnerabilities .column-vulnerability_id {
+  width: 210px;
+}
+#tab_vulnerabilities .column-aliases {
+  width: 210px;
+}
+#tab_vulnerabilities .column-max_score {
+  width: 105px;
+}
+#tab_vulnerabilities .column-column-affected_packages {
+  width: 320px;
+}
+
+/* -- Dependency tab -- */
+#tab_dependencies .column-for_package {
+  width: 250px;
+}
+#tab_dependencies .column-resolved_to_package {
+  width: 250px;
+}
+#tab_dependencies .column-is_runtime {
+  width: 100px;
+}
+#tab_dependencies .column-column-is_optional {
+  width: 100px;
+}
+#tab_dependencies .column-column-is_resolved {
+  width: 88px;
+}
+
 /* -- Package Details -- */
 textarea.licenseexpressionwidget {
   height: 62px;
diff --git a/dje/filters.py b/dje/filters.py
index 85bbb3ce..0aab8a31 100644
--- a/dje/filters.py
+++ b/dje/filters.py
@@ -55,7 +55,10 @@ def is_active(self):
         )
 
     def get_query_no_sort(self):
-        return remove_field_from_query_dict(self.data, "sort")
+        sort_field_name = "sort"
+        if self.form_prefix:
+            sort_field_name = f"{self.form_prefix}-{sort_field_name}"
+        return remove_field_from_query_dict(self.data, sort_field_name)
 
     def get_filter_breadcrumb(self, field_name, data_field_name, value):
         return {
@@ -86,6 +89,7 @@ def __init__(self, *args, **kwargs):
 
         self.dynamic_qs = kwargs.pop("dynamic_qs", True)
         self.parent_qs_cache = {}
+        self.anchor = kwargs.pop("anchor", None)
 
         super().__init__(*args, **kwargs)
 
diff --git a/dje/templates/global_search.html b/dje/templates/global_search.html
index 567cdec4..880e828e 100644
--- a/dje/templates/global_search.html
+++ b/dje/templates/global_search.html
@@ -140,7 +140,7 @@ <h4>
 
 {% block javascripts %}
     {{ block.super }}
-    <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-4gCm4SPCq9O/y66P13LOCfjqfgMtrLt+7DzjdZfHi00UBDkeqn7oAf9Ywdi1HeXN" crossorigin="anonymous"></script>
+    <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-5b5N+CiBiLgPGLMj4/gsf7MiPclQO0wtbtg1aUq+wogLo8D59FAoRjL/TfuKZf/t" crossorigin="anonymous"></script>
 
     {% if include_purldb %}
         <script>
diff --git a/dje/templates/includes/object_list_table_header.html b/dje/templates/includes/object_list_table_header.html
index 5bc72cb6..f28dedf7 100644
--- a/dje/templates/includes/object_list_table_header.html
+++ b/dje/templates/includes/object_list_table_header.html
@@ -26,9 +26,11 @@
         {% if header.sort %}
           {% with query_no_sort=filter.get_query_no_sort %}
             {% if filter.form.sort.data and header.field_name in filter.form.sort.data.0 %}
-              <a href="?{% if query_no_sort %}{{ query_no_sort }}&{% endif %}sort={% if '-' not in filter.form.sort.data.0 %}-{% endif %}{{ header.field_name }}" class="sort active" aria-label="Sort"><i class="fas fa-sort-{% if '-' not in filter.form.sort.data.0 %}up{% else %}down{% endif %}"></i></a>
+              {# The sort for this field is currently active #}
+              <a href="?{% if query_no_sort %}{{ query_no_sort }}&{% endif %}{% if tab_id %}{{ tab_id }}-{% endif %}sort={% if '-' not in filter.form.sort.data.0 %}-{% endif %}{{ header.field_name }}{% if tab_id %}#{{ tab_id }}{% endif %}" class="sort active" aria-label="Sort"><i class="fas fa-sort-{% if '-' not in filter.form.sort.data.0 %}up{% else %}down{% endif %}"></i></a>
             {% else %}
-              <a href="?{% if query_no_sort %}{{ query_no_sort }}&{% endif %}sort={{ header.field_name }}" class="sort" aria-label="Sort"><i class="fas fa-sort"></i></a>
+              {# The sort for this field is NOT active #}
+              <a href="?{% if query_no_sort %}{{ query_no_sort }}&{% endif %}{% if tab_id %}{{ tab_id }}-{% endif %}sort={{ header.field_name }}{% if tab_id %}#{{ tab_id }}{% endif %}" class="sort" aria-label="Sort"><i class="fas fa-sort"></i></a>
             {% endif %}
           {% endwith %}
         {% endif %}
diff --git a/dje/templates/notifications/list.html b/dje/templates/notifications/list.html
index a4d8b4ea..886e8d09 100644
--- a/dje/templates/notifications/list.html
+++ b/dje/templates/notifications/list.html
@@ -72,5 +72,5 @@ <h1 class="header-title">
 
 {% block javascripts %}
     {{ block.super }}
-    <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-4gCm4SPCq9O/y66P13LOCfjqfgMtrLt+7DzjdZfHi00UBDkeqn7oAf9Ywdi1HeXN" crossorigin="anonymous"></script>
+    <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-5b5N+CiBiLgPGLMj4/gsf7MiPclQO0wtbtg1aUq+wogLo8D59FAoRjL/TfuKZf/t" crossorigin="anonymous"></script>
 {% endblock %}
\ No newline at end of file
diff --git a/dje/templates/object_details_base.html b/dje/templates/object_details_base.html
index 750db7ad..15d37841 100644
--- a/dje/templates/object_details_base.html
+++ b/dje/templates/object_details_base.html
@@ -77,8 +77,8 @@ <h1 class="header-title text-break">
   <nav role="navigation">
     <ul class="nav nav-tabs container px-3" id="details_tab" role="tablist">
       {% for tab_name, tab_context in tabsets.items %}
-        <li class="nav-item" role="presentation">
-          <button class="nav-link{% if forloop.first %} active{% endif %}" id="tab_{{ tab_name|slugify }}-tab" data-bs-toggle="tab" data-bs-target="#tab_{{ tab_name|slugify }}" type="button" role="tab" aria-controls="tab_{{ tab_name|slugify }}" aria-selected="{% if forloop.first %}true{% else %}false{% endif %}">
+        <li class="nav-item" role="presentation"{% if tab_context.tooltip %} data-bs-toggle="tooltip" title="{{ tab_context.tooltip }}"{% endif %}>
+          <button class="nav-link{% if forloop.first %} active{% endif %}" id="tab_{{ tab_name|slugify }}-tab" data-bs-toggle="tab" data-bs-target="#tab_{{ tab_name|slugify }}" type="button" role="tab" aria-controls="tab_{{ tab_name|slugify }}" aria-selected="{% if forloop.first %}true{% else %}false{% endif %}"{% if tab_context.disabled %} disabled="disabled"{% endif %}>
             {% if tab_context.label %}
               {{ tab_context.label }}
             {% else %}
diff --git a/dje/templates/object_form.html b/dje/templates/object_form.html
index f7493a47..66cc74f0 100644
--- a/dje/templates/object_form.html
+++ b/dje/templates/object_form.html
@@ -43,7 +43,7 @@ <h1 class="header-title">
 {% block javascripts %}
   {{ block.super }}
   {% if form.fields.license_expression %}
-    <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-oTqsk3bKZbt7gvIiSLAxv/f/1zUBuzofCLQcVe+9J9s7zHhGnWfebQu3miHGT1Vc" crossorigin="anonymous"></script>
+    <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-sb1eCgSzQ43/Yt/kNTeuZ9XmmY0rfloyqPka6VPMR6ZWJsK0pTfsAnTHY7XRZUgd" crossorigin="anonymous"></script>
   {% endif %}
   {{ licenses_data_for_builder|json_script:"licenses_data_for_builder" }}
   {{ form.identifier_fields|json_script:"identifier_fields" }}
diff --git a/dje/templates/tabs/pagination.html b/dje/templates/tabs/pagination.html
new file mode 100644
index 00000000..eb0dcc39
--- /dev/null
+++ b/dje/templates/tabs/pagination.html
@@ -0,0 +1,30 @@
+{% load humanize %}
+<div class="row align-items-end">
+  <div class="col mb-3">
+    <ul class="nav nav-pills">
+      <li class="nav-item">
+        <form id="tab-{{ tab_id }}-search-form" class="mt-md-0 me-sm-2">
+          <input style="width: 250px;" type="text" class="form-control form-control-sm" id="tab-{{ tab_id }}-search-input" name="{{ tab_id }}-q" placeholder="Search {{ tab_id }}" aria-label="Search" autocomplete="off" value="{{ search_query|escape }}">
+        </form>
+      </li>
+      <li class="nav-item">
+        <div class="h6 mt-2 mb-0 smaller">
+          {% if page_obj.paginator.count != total_count %}
+            {{ page_obj.paginator.count|intcomma }} of
+            <a href="#" hx-get="{{ request.path }}?all=true#{{ tab_id }}" hx-target="{{ tab_id_html }}">
+              {{ total_count }} results
+            </a>
+          {% else %}
+            {{ page_obj.paginator.count|intcomma }} results
+          {% endif %}
+        </div>
+      </li>
+    </ul>
+    <div class="mt-1">
+      {% include 'includes/filters_breadcrumbs.html' with filterset=filterset fragment=tab_id only %}
+    </div>
+  </div>
+  <div class="col-auto">
+    {% include 'pagination/object_list_pagination.html' with hx_target=tab_id_html %}
+  </div>
+</div>
\ No newline at end of file
diff --git a/dje/tests/test_permissions.py b/dje/tests/test_permissions.py
index b0a8b1ca..3d5e1347 100644
--- a/dje/tests/test_permissions.py
+++ b/dje/tests/test_permissions.py
@@ -138,6 +138,7 @@ def test_permissions_get_all_tabsets(self):
                 "notice",
                 "license",
                 "owner",
+                "vulnerabilities",
                 "dependencies",
                 "activity",
                 "imports",
diff --git a/dje/views.py b/dje/views.py
index 59b6140c..76d5b2c6 100644
--- a/dje/views.py
+++ b/dje/views.py
@@ -294,10 +294,11 @@ def get_context_data(self, **kwargs):
 class TableHeaderMixin:
     table_headers = ()
     model = None
-    filterset = None
+    table_model = None
 
     def get_table_headers(self):
-        opts = self.model._meta
+        model = self.table_model or self.model
+        opts = model._meta
 
         sort_fields = []
         if self.filterset and "sort" in self.filterset.filters:
diff --git a/product_portfolio/filters.py b/product_portfolio/filters.py
index b84f6236..4cfe81de 100644
--- a/product_portfolio/filters.py
+++ b/product_portfolio/filters.py
@@ -164,8 +164,6 @@ def filter_object_type(queryset, name, value):
         return queryset.none()
 
     def __init__(self, *args, **kwargs):
-        self.anchor = kwargs.pop("anchor", None)
-
         super().__init__(*args, **kwargs)
 
         self.filters["review_status"].extra["to_field_name"] = "label"
diff --git a/product_portfolio/models.py b/product_portfolio/models.py
index 778e6ab6..09255964 100644
--- a/product_portfolio/models.py
+++ b/product_portfolio/models.py
@@ -28,6 +28,7 @@
 from component_catalog.models import KeywordsMixin
 from component_catalog.models import LicenseExpressionMixin
 from component_catalog.models import Package
+from component_catalog.models import Vulnerability
 from component_catalog.models import component_mixin_factory
 from component_catalog.vulnerabilities import fetch_for_queryset
 from dje import tasks
@@ -495,6 +496,10 @@ def fetch_vulnerabilities(self):
         """Fetch and update the vulnerabilties of all the Package of this Product."""
         return fetch_for_queryset(self.all_packages, self.dataspace)
 
+    def get_vulnerability_qs(self):
+        """Return a QuerySet of all Vulnerability instances related to this product"""
+        return Vulnerability.objects.filter(affected_packages__in=self.packages.all())
+
 
 class ProductRelationStatus(BaseStatusMixin, DataspacedModel):
     class Meta(BaseStatusMixin.Meta):
diff --git a/product_portfolio/templates/product_portfolio/object_manage_grid.html b/product_portfolio/templates/product_portfolio/object_manage_grid.html
index 02486659..61c85f82 100644
--- a/product_portfolio/templates/product_portfolio/object_manage_grid.html
+++ b/product_portfolio/templates/product_portfolio/object_manage_grid.html
@@ -66,7 +66,7 @@ <h1 class="header-title">
   {{ formset.media }}
   <link href="{% static 'awesomplete/awesomplete-1.1.5.css' %}" type="text/css" media="all" rel="stylesheet">
   <script src="{% static 'awesomplete/awesomplete-1.1.5.min.js' %}" integrity="sha384-p5NIw+GEWbrK/9dC3Vuxh36c2HL0ETAXQ81nk8gl1B7FHZmXehonZWs/HBqunmCI" crossorigin="anonymous"></script>
-  <script src="{% static 'js/widget_autocomplete.js' %}" integrity="sha384-Xwh0IgdZ3xDFYieC0irLFU0+f9PHFFfA5k/MHGMBcwVDgovhbrJhXEbXX7s5/Ylz" crossorigin="anonymous"></script>
+  <script src="{% static 'js/widget_autocomplete.js' %}" integrity="sha384-ksQnUTczA9QhT+bgsL38TcPgxAQFj6tyqqdmYm1tmfemEgq/u0QqXshxPiefnTIz" crossorigin="anonymous"></script>
 
   {% include 'includes/messages_alert.html' %}
 
@@ -167,7 +167,7 @@ <h5 class="modal-title">Create new Component</h5>
 {% endblock %}
 
 {% block javascripts %}
-  <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-oTqsk3bKZbt7gvIiSLAxv/f/1zUBuzofCLQcVe+9J9s7zHhGnWfebQu3miHGT1Vc" crossorigin="anonymous"></script>
+  <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-sb1eCgSzQ43/Yt/kNTeuZ9XmmY0rfloyqPka6VPMR6ZWJsK0pTfsAnTHY7XRZUgd" crossorigin="anonymous"></script>
   <script src="{% static 'js/jquery.dirtyforms.2.0.0.min.js' %}" integrity="sha384-xesGfeB9VUH4sEN2ROWGaWMcYi5B/NjoBb5XK6cvcuUyL6f+GI2B7kcCzbqsJcwc" crossorigin="anonymous"></script>
   {% if component_add_form %}
     <script src="{% static 'js/csrf_header.js' %}" integrity="sha384-H61e46QMjASwnZFb/rwCl9PANtdqt1dbKU8gnGOh9lIGQEoi1B6qkWROHnrktD3R" crossorigin="anonymous"></script>
diff --git a/product_portfolio/templates/product_portfolio/product_details.html b/product_portfolio/templates/product_portfolio/product_details.html
index b4ccc25f..beec6a38 100644
--- a/product_portfolio/templates/product_portfolio/product_details.html
+++ b/product_portfolio/templates/product_portfolio/product_details.html
@@ -141,7 +141,7 @@
 
   {% if has_edit_productpackage or has_edit_productcomponent or has_add_productcomponent %}
     <script src="{% static 'awesomplete/awesomplete-1.1.5.min.js' %}" integrity="sha384-p5NIw+GEWbrK/9dC3Vuxh36c2HL0ETAXQ81nk8gl1B7FHZmXehonZWs/HBqunmCI" crossorigin="anonymous"></script>
-    <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-oTqsk3bKZbt7gvIiSLAxv/f/1zUBuzofCLQcVe+9J9s7zHhGnWfebQu3miHGT1Vc" crossorigin="anonymous"></script>
+    <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-sb1eCgSzQ43/Yt/kNTeuZ9XmmY0rfloyqPka6VPMR6ZWJsK0pTfsAnTHY7XRZUgd" crossorigin="anonymous"></script>
     <script>
       $(document).ready(function () {
         let edit_modal = $('#edit-productrelation-modal');
diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_dependencies.html b/product_portfolio/templates/product_portfolio/tabs/tab_dependencies.html
index 185294c2..92d6fd6f 100644
--- a/product_portfolio/templates/product_portfolio/tabs/tab_dependencies.html
+++ b/product_portfolio/templates/product_portfolio/tabs/tab_dependencies.html
@@ -3,97 +3,9 @@
 {% load humanize %}
 
 {% spaceless %}
-<div class="row align-items-end">
-  <div class="col mb-3">
-    <ul class="nav nav-pills">
-      <li class="nav-item">
-        <form id="tab-dependencies-search-form" class="mt-md-0 me-sm-2">
-          <input style="width: 250px;" type="text" class="form-control form-control-sm" id="tab-dependencies-search-input" name="dependencies-q" placeholder="Search dependencies" aria-label="Search" autocomplete="off" value="{{ search_query|escape }}">
-        </form>
-      </li>
-      <li class="nav-item">
-        <div class="h6 mt-2 mb-0 smaller">
-          {% if page_obj.paginator.count != total_count %}
-            {{ page_obj.paginator.count|intcomma }} of
-            <a href="#" hx-get="{{ request.path }}?all=true#dependencies" hx-target="{{ tab_id_html }}">
-              {{ total_count }} results
-            </a>
-          {% else %}
-            {{ page_obj.paginator.count|intcomma }} results
-          {% endif %}
-        </div>
-      </li>
-    </ul>
-    <div class="mt-1">
-      {% include 'includes/filters_breadcrumbs.html' with filterset=filter_dependency fragment=tab_id only %}
-    </div>
-  </div>
-  <div class="col-auto">
-    {% include 'pagination/object_list_pagination.html' with hx_target=tab_id_html %}
-  </div>
-</div>
-
+{% include 'tabs/pagination.html' %}
 <table class="table table-bordered table-hover table-md text-break">
-  {% include 'includes/object_list_table_header.html' %}
-  <thead>
-    <tr>
-      <th style="min-width: 250px">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.for_package }}">
-          {% trans 'For package' %}
-        </span>
-        <div class="float-end">
-          {{ filter_dependency.form.for_package }}
-        </div>
-      </th>
-      <th style="min-width: 250px">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.resolved_to_package }}">
-          {% trans 'Resolved to package' %}
-        </span>
-        <div class="float-end">
-          {{ filter_dependency.form.resolved_to_package }}
-        </div>
-      </th>
-      <th>
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.declared_dependency }}">
-          {% trans 'Declared dependency' %}
-        </span>
-      </th>
-      <th>
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.scope }}">
-          {% trans 'Scope' %}
-        </span>
-      </th>
-      <th>
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.extracted_requirement }}">
-          {% trans 'Extracted requirement' %}
-        </span>
-      </th>
-      <th style="min-width: 100px">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.is_runtime }}">
-          {% trans 'Runtime' %}
-        </span>
-        <div class="float-end">
-          {{ filter_dependency.form.is_runtime }}
-        </div>
-      </th>
-      <th style="min-width: 100px">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.is_optional }}">
-          {% trans 'Optional' %}
-        </span>
-        <div class="float-end">
-          {{ filter_dependency.form.is_optional }}
-        </div>
-      </th>
-      <th style="min-width: 88px">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="top" title="{{ help_texts.is_resolved }}">
-          {% trans 'Pinned' %}
-        </span>
-        <div class="float-end">
-          {{ filter_dependency.form.is_resolved }}
-        </div>
-      </th>
-    </tr>
-  </thead>
+  {% include 'includes/object_list_table_header.html' with filter=filterset %}
   <tbody class="text-break">
     {% for dependency in page_obj.object_list %}
       <tr class="{% cycle 'odd' '' %}">
@@ -163,8 +75,8 @@
       <tr>
         <td colspan="10">
           No results.
-          {% if filter_dependency.is_active %}
-            <a href="#" hx-get="{{ request.path }}?all=true#dependencies" hx-target="{{ tab_id_html }}">
+          {% if filterset.is_active %}
+            <a href="#" hx-get="{{ request.path }}?all=true#{{ tab_id }}" hx-target="{{ tab_id_html }}">
               Clear search and filters
             </a>
           {% endif %}
diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html b/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html
new file mode 100644
index 00000000..27e06406
--- /dev/null
+++ b/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html
@@ -0,0 +1,64 @@
+{% load i18n %}
+{% include 'tabs/pagination.html' %}
+<table class="table table-bordered table-hover table-md text-break">
+  {% include 'includes/object_list_table_header.html' with filter=filterset %}
+  <tbody>
+    {% for vulnerability in page_obj.object_list %}
+      <tr>
+        <td>
+          <strong>
+            <a href="{{ values.vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+              {{ vulnerability.vulnerability_id }}
+              <i class="fa-solid fa-up-right-from-square mini"></i>
+            </a>
+          </strong>
+        </td>
+        <td>
+           {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
+        </td>
+        <td>
+          {% if vulnerability.min_score %}
+            {{ vulnerability.min_score }} -
+          {% endif %}
+          {% if vulnerability.max_score %}
+            <strong>
+              {{ vulnerability.max_score }}
+            </strong>
+          {% endif %}
+        </td>
+        <td>
+          {% if vulnerability.summary %}
+            {% if vulnerability.summary|length > 120 %}
+              <details>
+                <summary>{{ vulnerability.summary|slice:":120" }}...</summary>
+                {{ vulnerability.summary|slice:"120:" }}
+              </details>
+            {% else %}
+              {{ vulnerability.summary }}
+            {% endif %}
+          {% endif %}
+        </td>
+        <td>
+          <ul class="list-unstyled mb-0">
+            {% for package in vulnerability.affected_packages.all %}
+              <li>
+                <a href="{{ package.get_absolute_url }}#vulnerabilities" target="_blank">{{ package }}</a>
+              </li>
+            {% endfor %}
+          </ul>
+        </td>
+      </tr>
+    {% empty %}
+      <tr>
+        <td colspan="10">
+          No results.
+          {% if filterset.is_active %}
+            <a href="#" hx-get="{{ request.path }}?all=true#{{ tab_id }}" hx-target="{{ tab_id_html }}">
+              Clear search and filters
+            </a>
+          {% endif %}
+        </td>
+      </tr>
+    {% endfor %}
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/product_portfolio/tests/test_views.py b/product_portfolio/tests/test_views.py
index f845d7d4..5d5d1baa 100644
--- a/product_portfolio/tests/test_views.py
+++ b/product_portfolio/tests/test_views.py
@@ -56,6 +56,7 @@
 from product_portfolio.models import ProductRelationStatus
 from product_portfolio.models import ProductStatus
 from product_portfolio.models import ScanCodeProject
+from product_portfolio.tests import make_product
 from product_portfolio.views import ManageComponentGridView
 from workflow.models import Request
 from workflow.models import RequestTemplate
@@ -132,7 +133,7 @@ def test_product_portfolio_detail_view_tab_inventory_and_hierarchy_availability(
         ProductComponent.objects.create(
             product=self.product1, component=self.component1, dataspace=self.dataspace
         )
-        with self.assertNumQueries(29):
+        with self.assertNumQueries(30):
             response = self.client.get(url)
         self.assertContains(response, expected1)
         self.assertContains(response, expected2)
@@ -158,7 +159,7 @@ def test_product_portfolio_detail_view_tab_inventory_availability(self):
         ProductPackage.objects.create(
             product=self.product1, package=self.package1, dataspace=self.dataspace
         )
-        with self.assertNumQueries(26):
+        with self.assertNumQueries(27):
             response = self.client.get(url)
         self.assertContains(response, expected)
 
@@ -271,6 +272,61 @@ def test_product_portfolio_detail_view_tab_dependency_view(self):
             response = self.client.get(url)
         self.assertContains(response, "4 results")
 
+    def test_product_portfolio_detail_view_tab_vulnerability_view(self):
+        self.client.login(username="nexb_user", password="secret")
+        url = self.product1.get_url("tab_vulnerabilities")
+
+        with self.assertMaxQueries(9):
+            response = self.client.get(url)
+        self.assertContains(response, "0 results")
+
+        p1 = make_package(self.dataspace, is_vulnerable=True)
+        p2 = make_package(self.dataspace, is_vulnerable=True)
+        p3 = make_package(self.dataspace, is_vulnerable=True)
+        p4 = make_package(self.dataspace, is_vulnerable=True)
+        product1 = make_product(self.dataspace, inventory=[p1, p2, p3, p4])
+
+        self.assertEqual(4, product1.packages.count())
+        self.assertEqual(4, product1.packages.vulnerable().count())
+
+        url = product1.get_url("tab_vulnerabilities")
+        with self.assertMaxQueries(10):
+            response = self.client.get(url)
+        self.assertContains(response, "4 results")
+
+    def test_product_portfolio_detail_view_tab_vulnerability_view_filters(self):
+        self.client.login(username="nexb_user", password="secret")
+        url = self.product1.get_url("tab_vulnerabilities")
+        response = self.client.get(url)
+        self.assertContains(response, "?vulnerabilities-max_score=#vulnerabilities")
+        self.assertContains(response, "?vulnerabilities-sort=max_score#vulnerabilities")
+        response = self.client.get(url + "?vulnerabilities-sort=max_score#vulnerabilities")
+        self.assertContains(response, "?vulnerabilities-sort=-max_score#vulnerabilities")
+
+    @mock.patch("dejacode_toolkit.vulnerablecode.VulnerableCode.is_configured")
+    def test_product_portfolio_detail_view_tab_vulnerability_label(self, mock_is_configured):
+        mock_is_configured.return_value = True
+        self.client.login(username="nexb_user", password="secret")
+        url = self.product1.get_absolute_url()
+        response = self.client.get(url)
+        self.assertNotContains(response, "tab_vulnerabilities")
+
+        self.dataspace.enable_vulnerablecodedb_access = True
+        self.dataspace.save()
+        response = self.client.get(url)
+        expected = 'aria-controls="tab_vulnerabilities" aria-selected="false" disabled="disabled"'
+        self.assertContains(response, expected)
+        expected = 'data-bs-toggle="tooltip" title="No vulnerabilities found in this Product"'
+        self.assertContains(response, expected)
+
+        package1 = make_package(self.dataspace, is_vulnerable=True)
+        ProductPackage.objects.create(
+            product=self.product1, package=package1, dataspace=self.dataspace
+        )
+        response = self.client.get(url)
+        expected = '<span class="badge badge-vulnerability">1</span>'
+        self.assertContains(response, expected)
+
     def test_product_portfolio_detail_view_object_type_filter_in_inventory_tab(self):
         self.client.login(username="nexb_user", password="secret")
 
diff --git a/product_portfolio/urls.py b/product_portfolio/urls.py
index 6eb41237..ff4814b9 100644
--- a/product_portfolio/urls.py
+++ b/product_portfolio/urls.py
@@ -24,6 +24,7 @@
 from product_portfolio.views import ProductTabDependenciesView
 from product_portfolio.views import ProductTabImportsView
 from product_portfolio.views import ProductTabInventoryView
+from product_portfolio.views import ProductTabVulnerabilitiesView
 from product_portfolio.views import ProductTreeComparisonView
 from product_portfolio.views import ProductUpdateView
 from product_portfolio.views import PullProjectDataFromScanCodeIOView
@@ -94,6 +95,7 @@ def product_path(path_segment, view):
     *product_path("import_manifests", ImportManifestsView.as_view()),
     *product_path("tab_codebase", ProductTabCodebaseView.as_view()),
     *product_path("tab_dependencies", ProductTabDependenciesView.as_view()),
+    *product_path("tab_vulnerabilities", ProductTabVulnerabilitiesView.as_view()),
     *product_path("tab_imports", ProductTabImportsView.as_view()),
     *product_path("tab_inventory", ProductTabInventoryView.as_view()),
     *product_path("pull_project_data", PullProjectDataFromScanCodeIOView.as_view()),
diff --git a/product_portfolio/views.py b/product_portfolio/views.py
index 81f22f54..2fffff39 100644
--- a/product_portfolio/views.py
+++ b/product_portfolio/views.py
@@ -25,6 +25,7 @@
 from django.core.paginator import Paginator
 from django.db import transaction
 from django.db.models import Count
+from django.db.models import F
 from django.db.models import Prefetch
 from django.db.models.functions import Lower
 from django.forms import modelformset_factory
@@ -38,6 +39,7 @@
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.utils.html import format_html
+from django.utils.translation import gettext_lazy as _
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
 from django.views.generic import DetailView
@@ -53,17 +55,20 @@
 from openpyxl.styles import NamedStyle
 from openpyxl.styles import Side
 
+from component_catalog.filters import VulnerabilityFilterSet
 from component_catalog.forms import ComponentAjaxForm
 from component_catalog.license_expression_dje import build_licensing
 from component_catalog.license_expression_dje import parse_expression
 from component_catalog.models import Component
 from component_catalog.models import Package
+from component_catalog.models import Vulnerability
 from dejacode_toolkit.purldb import PurlDB
 from dejacode_toolkit.scancodeio import ScanCodeIO
 from dejacode_toolkit.scancodeio import get_hash_uid
 from dejacode_toolkit.scancodeio import get_package_download_url
 from dejacode_toolkit.scancodeio import get_scan_results_as_file_url
 from dejacode_toolkit.utils import sha1
+from dejacode_toolkit.vulnerablecode import VulnerableCode
 from dje import tasks
 from dje.client_data import add_client_data
 from dje.filters import BooleanChoiceFilter
@@ -91,6 +96,7 @@
 from dje.views import SendAboutFilesView
 from dje.views import TabContentView
 from dje.views import TabField
+from dje.views import TableHeaderMixin
 from dje.views_formset import FormSetView
 from license_library.filters import LicenseFilterSet
 from license_library.models import License
@@ -123,7 +129,7 @@
 from product_portfolio.models import ScanCodeProject
 
 
-class BaseProductView:
+class BaseProductViewMixin:
     model = Product
     slug_url_kwarg = ("name", "version")
 
@@ -221,7 +227,7 @@ def get_extra_add_urls(self):
 
 class ProductDetailsView(
     LoginRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     ObjectDetailsView,
 ):
     template_name = "product_portfolio/product_details.html"
@@ -285,6 +291,7 @@ class ProductDetailsView(
                 "owner",
             ],
         },
+        "vulnerabilities": {},
         "dependencies": {
             "fields": [
                 "dependencies",
@@ -514,6 +521,47 @@ def tab_dependencies(self):
             "fields": [(None, tab_context, None, template)],
         }
 
+    def tab_vulnerabilities(self):
+        dataspace = self.object.dataspace
+        vulnerablecode = VulnerableCode(self.object.dataspace)
+        display_tab_contions = [
+            dataspace.enable_vulnerablecodedb_access,
+            vulnerablecode.is_configured(),
+        ]
+        if not all(display_tab_contions):
+            return
+
+        vulnerability_qs = self.object.get_vulnerability_qs()
+        vulnerability_count = vulnerability_qs.count()
+        if not vulnerability_count:
+            label = 'Vulnerabilities <span class="badge bg-secondary">0</span>'
+            return {
+                "label": format_html(label),
+                "fields": [],
+                "disabled": True,
+                "tooltip": "No vulnerabilities found in this Product",
+            }
+
+        label = (
+            f'Vulnerabilities <span class="badge badge-vulnerability">{vulnerability_count}</span>'
+        )
+
+        # Pass the current request query context to the async request
+        tab_view_url = self.object.get_url("tab_vulnerabilities")
+        if full_query_string := self.request.META["QUERY_STRING"]:
+            tab_view_url += f"?{full_query_string}"
+
+        template = "tabs/tab_async_loader.html"
+        tab_context = {
+            "tab_view_url": tab_view_url,
+            "tab_object_name": "vulnerabilities",
+        }
+
+        return {
+            "label": format_html(label),
+            "fields": [(None, tab_context, None, template)],
+        }
+
     def tab_codebase(self):
         codebaseresources_count = self.object.codebaseresources.count()
         if not codebaseresources_count:
@@ -643,7 +691,7 @@ def get_context_data(self, **kwargs):
 
 class ProductTabInventoryView(
     LoginRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     PreviousNextPaginationMixin,
     TabContentView,
 ):
@@ -698,7 +746,7 @@ def get_context_data(self, **kwargs):
             self.request.GET,
             queryset=productpackage_qs,
             dataspace=self.object.dataspace,
-            prefix="inventory",
+            prefix=self.tab_id,
             anchor="#inventory",
         )
 
@@ -726,7 +774,7 @@ def get_context_data(self, **kwargs):
             self.request.GET,
             queryset=productcomponent_qs,
             dataspace=self.object.dataspace,
-            prefix="inventory",
+            prefix=self.tab_id,
             anchor="#inventory",
         )
 
@@ -873,7 +921,7 @@ def inject_scan_data(scancodeio, feature_grouped, dataspace_uuid):
 
 class ProductTabCodebaseView(
     LoginRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     PreviousNextPaginationMixin,
     TabContentView,
 ):
@@ -893,7 +941,7 @@ def get_context_data(self, **kwargs):
             self.request.GET,
             queryset=codebaseresource_qs,
             dataspace=self.object.dataspace,
-            prefix="codebase",
+            prefix=self.tab_id,
         )
 
         paginator = Paginator(filter_codebaseresource.qs, self.paginate_by)
@@ -954,19 +1002,30 @@ def has_any_values(field_name):
 
 class ProductTabDependenciesView(
     LoginRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     PreviousNextPaginationMixin,
+    TableHeaderMixin,
     TabContentView,
 ):
     template_name = "product_portfolio/tabs/tab_dependencies.html"
     paginate_by = 50
+    table_model = ProductDependency
+    filterset_class = DependencyFilterSet
     query_dict_page_param = "dependencies-page"
     tab_id = "dependencies"
+    table_headers = (
+        Header("for_package", _("For package"), filter="for_package"),
+        Header("resolved_to_package", _("Resolved to package"), filter="resolved_to_package"),
+        Header("declared_dependency", _("Declared dependency")),
+        Header("scope", _("Scope")),
+        Header("extracted_requirement", _("Extracted requirement")),
+        Header("is_runtime", _("Runtime"), filter="is_runtime"),
+        Header("is_optional", _("Optional"), filter="is_optional"),
+        Header("is_resolved", _("Resolved"), filter="is_resolved"),
+    )
 
     def get_context_data(self, **kwargs):
-        context_data = super().get_context_data(**kwargs)
         product = self.object
-
         for_package_qs = Package.objects.only_rendering_fields().with_vulnerability_count()
         resolved_to_package_qs = (
             Package.objects.only_rendering_fields()
@@ -978,14 +1037,16 @@ def get_context_data(self, **kwargs):
             Prefetch("resolved_to_package", resolved_to_package_qs),
         )
 
-        filter_dependency = DependencyFilterSet(
+        self.filterset = self.filterset_class(
             self.request.GET,
             queryset=dependency_qs,
             dataspace=product.dataspace,
-            prefix="dependencies",
+            prefix=self.tab_id,
         )
 
-        filtered_and_ordered_qs = filter_dependency.qs.order_by(
+        context_data = super().get_context_data(**kwargs)
+
+        filtered_and_ordered_qs = self.filterset.qs.order_by(
             "for_package__type",
             "for_package__namespace",
             "for_package__name",
@@ -997,19 +1058,82 @@ def get_context_data(self, **kwargs):
         page_number = self.request.GET.get(self.query_dict_page_param)
         page_obj = paginator.get_page(page_number)
 
-        help_texts = {
-            field.name: field.help_text
-            for field in ProductDependency._meta.get_fields()
-            if hasattr(field, "help_text")
-        }
-
         context_data.update(
             {
-                "filter_dependency": filter_dependency,
+                "filterset": self.filterset,
                 "page_obj": page_obj,
                 "total_count": product.dependencies.count(),
                 "search_query": self.request.GET.get("dependencies-q", ""),
-                "help_texts": help_texts,
+            }
+        )
+
+        if page_obj:
+            previous_url, next_url = self.get_previous_next(page_obj)
+            context_data.update(
+                {
+                    "previous_url": (previous_url or "") + f"#{self.tab_id}",
+                    "next_url": (next_url or "") + f"#{self.tab_id}",
+                }
+            )
+
+        return context_data
+
+
+class ProductTabVulnerabilitiesView(
+    LoginRequiredMixin,
+    BaseProductViewMixin,
+    PreviousNextPaginationMixin,
+    TableHeaderMixin,
+    TabContentView,
+):
+    template_name = "product_portfolio/tabs/tab_vulnerabilities.html"
+    paginate_by = 50
+    query_dict_page_param = "vulnerabilities-page"
+    tab_id = "vulnerabilities"
+    table_model = Vulnerability
+    filterset_class = VulnerabilityFilterSet
+    table_headers = (
+        Header("vulnerability_id", _("Vulnerability")),
+        Header("aliases", _("Aliases")),
+        Header("max_score", _("Score"), help_text="Severity score range", filter="max_score"),
+        Header("summary", _("Summary")),
+        Header("affected_packages", _("Affected packages"), help_text="Affected product packages"),
+    )
+
+    def get_context_data(self, **kwargs):
+        product = self.object
+        base_vulnerability_qs = product.get_vulnerability_qs()
+        total_count = base_vulnerability_qs.count()
+
+        package_qs = Package.objects.filter(product=product).only_rendering_fields()
+        vulnerability_qs = base_vulnerability_qs.prefetch_related(
+            Prefetch("affected_packages", package_qs)
+        ).order_by(
+            F("max_score").desc(nulls_last=True),
+            "-min_score",
+        )
+
+        self.filterset = self.filterset_class(
+            self.request.GET,
+            queryset=vulnerability_qs,
+            dataspace=product.dataspace,
+            prefix=self.tab_id,
+            anchor=f"#{self.tab_id}",
+        )
+
+        # The self.filterset needs to be set before calling super()
+        context_data = super().get_context_data(**kwargs)
+
+        paginator = Paginator(self.filterset.qs, self.paginate_by)
+        page_number = self.request.GET.get(self.query_dict_page_param)
+        page_obj = paginator.get_page(page_number)
+
+        context_data.update(
+            {
+                "filterset": self.filterset,
+                "page_obj": page_obj,
+                "total_count": total_count,
+                "search_query": self.request.GET.get("vulnerabilities-q", ""),
             }
         )
 
@@ -1027,7 +1151,7 @@ def get_context_data(self, **kwargs):
 
 class ProductTabImportsView(
     LoginRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     TabContentView,
 ):
     template_name = "product_portfolio/tabs/tab_imports.html"
@@ -1208,7 +1332,7 @@ class ProductAddView(
 
 class ProductUpdateView(
     LicenseDataForBuilderMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     DataspacedUpdateView,
 ):
     form_class = ProductForm
@@ -1226,7 +1350,7 @@ def get_success_url(self):
         return super().get_success_url()
 
 
-class ProductDeleteView(BaseProductView, DataspacedDeleteView):
+class ProductDeleteView(BaseProductViewMixin, DataspacedDeleteView):
     permission_required = "product_portfolio.delete_product"
 
     def get_queryset(self):
@@ -1463,7 +1587,7 @@ class AttributionView(
     LoginRequiredMixin,
     DataspaceScopeMixin,
     GetDataspacedObjectMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     DetailView,
 ):
     template_name = "product_portfolio/attribution/base.html"
@@ -1702,15 +1826,15 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class ProductSendAboutFilesView(BaseProductView, SendAboutFilesView):
+class ProductSendAboutFilesView(BaseProductViewMixin, SendAboutFilesView):
     pass
 
 
-class ProductExportSPDXDocumentView(BaseProductView, ExportSPDXDocumentView):
+class ProductExportSPDXDocumentView(BaseProductViewMixin, ExportSPDXDocumentView):
     pass
 
 
-class ProductExportCycloneDXBOMView(BaseProductView, ExportCycloneDXBOMView):
+class ProductExportCycloneDXBOMView(BaseProductViewMixin, ExportCycloneDXBOMView):
     pass
 
 
@@ -1805,7 +1929,7 @@ class BaseProductManageGridView(
     LicenseDataForBuilderMixin,
     GetDataspacedObjectMixin,
     PermissionRequiredMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     FormSetView,
 ):
     """A base view for managing product relationship through a grid."""
@@ -2128,7 +2252,7 @@ class BaseProductImportFormView(
     PermissionRequiredMixin,
     GetDataspacedObjectMixin,
     DataspacedModelFormMixin,
-    BaseProductView,
+    BaseProductViewMixin,
     FormView,
 ):
     permission_required = "product_portfolio.change_product"
diff --git a/workflow/templates/workflow/request_details.html b/workflow/templates/workflow/request_details.html
index a960a2b6..1ecd9620 100644
--- a/workflow/templates/workflow/request_details.html
+++ b/workflow/templates/workflow/request_details.html
@@ -155,7 +155,7 @@ <h2 class="h4">{{ request_instance.request_template.name }}</h2>
 
 {% block javascripts %}
   {{ block.super }}
-  <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-4gCm4SPCq9O/y66P13LOCfjqfgMtrLt+7DzjdZfHi00UBDkeqn7oAf9Ywdi1HeXN" crossorigin="anonymous"></script>
+  <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-5b5N+CiBiLgPGLMj4/gsf7MiPclQO0wtbtg1aUq+wogLo8D59FAoRjL/TfuKZf/t" crossorigin="anonymous"></script>
   <script src="{% static 'js/jquery.dirtyforms.2.0.0.min.js' %}" integrity="sha384-xesGfeB9VUH4sEN2ROWGaWMcYi5B/NjoBb5XK6cvcuUyL6f+GI2B7kcCzbqsJcwc" crossorigin="anonymous"></script>
   <script src="{% static 'js/clipboard-2.0.0.min.js' %}" integrity="sha384-5tfO0soa+FisnuBhaHP2VmPXQG/JZ8dLcRL43IkJFzbsXTXT6zIX8q8sIT0VSe2G" crossorigin="anonymous"></script>
   <script>