GSoC 2026 Proposal Draft - Migrate ScanCode.io from Vulnerabilities to Advisories (#2002)

[sohamrajput98]

Hi @TG1999 @tdruez @pombredanne,

I'm Soham, a GSoC 2026 applicant interested in the ScanCode.io
advisories migration project (issue #2002).

Before writing my proposal I did the following research:

• Read vulnerablecode.py fully and mapped all 10+ files affected
  by the migration across pipes, models, views, serializers,
  templates, and migrations
• Studied closed PR #2067 and understood why it was rejected -
  normalization wrapper instead of full refactor.
• Hit public.vulnerablecode.io/api/ directly - confirmed the
  advisories endpoint is not live yet, still returning
  affected_by_vulnerabilities
• Confirmed PR #1966 merged July 2025 in vulnerablecode

Sharing my draft proposal early for mentor feedback:
[https://docs.google.com/document/d/1AJdaqC3d8mctYp2JX3vNCOpLZV9_lB13ANNk_6eRXNo/edit?usp=sharing]

Key question I'd appreciate guidance on: since the public API
doesn't expose advisories yet, should the migration target a
local vulnerablecode instance or design for both formats
during the transition?

Thank you.