SLCORE-1543 open dependency risk in browser

Author: sophio-japharidze-sonarsource

backend/core/src/main/java/org/sonarsource/sonarlint/core/sca/ScaService.java

@@ -28,29 +28,43 @@
 import org.sonarsource.sonarlint.core.commons.log.SonarLintLogger;
 import org.sonarsource.sonarlint.core.commons.progress.SonarLintCancelMonitor;
 import org.sonarsource.sonarlint.core.repository.config.ConfigurationRepository;
+import org.sonarsource.sonarlint.core.repository.connection.ConnectionConfigurationRepository;
+import org.sonarsource.sonarlint.core.rpc.protocol.SonarLintRpcClient;
 import org.sonarsource.sonarlint.core.rpc.protocol.SonarLintRpcErrorCode;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.DependencyRiskTransition;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.AffectedPackageDto;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsResponse;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.ScaIssueDto;
 import org.sonarsource.sonarlint.core.serverapi.sca.GetIssueReleaseResponse;
+import org.sonarsource.sonarlint.core.rpc.protocol.client.OpenUrlInBrowserParams;
+import org.sonarsource.sonarlint.core.serverapi.EndpointParams;
+import org.sonarsource.sonarlint.core.serverapi.ServerApiHelper;
+import org.sonarsource.sonarlint.core.serverapi.UrlUtils;
 import org.sonarsource.sonarlint.core.serverconnection.issues.ServerScaIssue;
 import org.sonarsource.sonarlint.core.storage.StorageService;
+import org.sonarsource.sonarlint.core.telemetry.TelemetryService;
 
 public class ScaService {
   private static final SonarLintLogger LOG = SonarLintLogger.get();
 
   private final ConfigurationRepository configurationRepository;
+  private final ConnectionConfigurationRepository connectionRepository;
   private final StorageService storageService;
   private final SonarQubeClientManager sonarQubeClientManager;
   private final SonarProjectBranchTrackingService branchTrackingService;
+  private final SonarLintRpcClient client;
+  private final TelemetryService telemetryService;
 
-  public ScaService(ConfigurationRepository configurationRepository, StorageService storageService, SonarQubeClientManager sonarQubeClientManager,
-    SonarProjectBranchTrackingService branchTrackingService) {
+  public ScaService(ConfigurationRepository configurationRepository, ConnectionConfigurationRepository connectionRepository,
+    StorageService storageService, SonarQubeClientManager sonarQubeClientManager,
+    SonarProjectBranchTrackingService branchTrackingService, SonarLintRpcClient client, TelemetryService telemetryService) {
     this.configurationRepository = configurationRepository;
+    this.connectionRepository = connectionRepository;
     this.storageService = storageService;
     this.sonarQubeClientManager = sonarQubeClientManager;
     this.branchTrackingService = branchTrackingService;
+    this.client = client;
+    this.telemetryService = telemetryService;
   }
 
   public void changeStatus(String configurationScopeId, UUID issueReleaseKey, DependencyRiskTransition transition, @CheckForNull String comment,
@@ -139,6 +153,38 @@ private static GetDependencyRiskDetailsResponse convertToRpcResponse(GetIssueRel
       serverResponse.vulnerability().description(), affectedPackages);
   }
 
+  public void openDependencyRiskInBrowser(String configurationScopeId, String dependencyKey) {
+    var effectiveBinding = configurationRepository.getEffectiveBinding(configurationScopeId);
+    var endpointParams = effectiveBinding.flatMap(binding -> connectionRepository.getEndpointParams(binding.connectionId()));
+    if (effectiveBinding.isEmpty() || endpointParams.isEmpty()) {
+      LOG.warn("Configuration scope {} is not bound properly, unable to open dependency risk", configurationScopeId);
+      return;
+    }
+    var branchName = branchTrackingService.awaitEffectiveSonarProjectBranch(configurationScopeId);
+    if (branchName.isEmpty()) {
+      LOG.warn("Configuration scope {} has no matching branch, unable to open dependency risk", configurationScopeId);
+      return;
+    }
+
+    var url = buildScaBrowseUrl(effectiveBinding.get().sonarProjectKey(), branchName.get(), dependencyKey, endpointParams.get());
+
+    client.openUrlInBrowser(new OpenUrlInBrowserParams(url));
+
+    // TODO: Add SCA-specific telemetry method when available
+    // telemetryService.dependencyRiskOpenedInBrowser();
+  }
+
+  static String buildScaBrowseUrl(String projectKey, String branch, String dependencyKey, EndpointParams endpointParams) {
+    var relativePath = "/dependency-risks/"
+      + UrlUtils.urlEncode(dependencyKey)
+      + "/what?id="
+      + UrlUtils.urlEncode(projectKey)
+      + "&branch="
+      + UrlUtils.urlEncode(branch);
+
+    return ServerApiHelper.concat(endpointParams.getBaseUrl(), relativePath);
+  }
+
   public static class ScaIssueNotFoundException extends RuntimeException {
     private final String issueKey;
 

backend/core/src/test/java/org/sonarsource/sonarlint/core/sca/ScaServiceTests.java

@@ -0,0 +1,35 @@
+/*
+ * SonarLint Core - Implementation
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarsource.sonarlint.core.sca;
+
+import org.junit.jupiter.api.Test;
+import org.sonarsource.sonarlint.core.serverapi.EndpointParams;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class ScaServiceTests {
+
+  @Test
+  void testBuildSonarQubeServerScaUrl() {
+    assertThat(ScaService.buildScaBrowseUrl("myProject", "myBranch", "dependencyKey", new EndpointParams("http://foo.com", "", false, null)))
+      .isEqualTo("http://foo.com/dependency-risks/dependencyKey/what?id=myProject&branch=myBranch");
+  }
+
+} 

backend/rpc-impl/src/main/java/org/sonarsource/sonarlint/core/rpc/impl/ScaRpcServiceDelegate.java

@@ -26,6 +26,7 @@
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ChangeScaIssueStatusParams;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsParams;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsResponse;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.OpenDependencyRiskInBrowserParams;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService;
 import org.sonarsource.sonarlint.core.sca.ScaService;
 
@@ -61,4 +62,9 @@ public CompletableFuture<GetDependencyRiskDetailsResponse> getDependencyRiskDeta
     return requestAsync(cancelMonitor -> getBean(ScaService.class)
       .getDependencyRiskDetails(params.getConfigurationScopeId(), params.getDependencyRiskKey(), cancelMonitor), params.getConfigurationScopeId());
   }
+
+  @Override
+  public void openDependencyRiskInBrowser(OpenDependencyRiskInBrowserParams params) {
+    notify(() -> getBean(ScaService.class).openDependencyRiskInBrowser(params.getConfigScopeId(), params.getDependencyKey()), params.getConfigScopeId());
+  }
 }

medium-tests/src/test/java/mediumtest/sca/OpenDependencyRiskInBrowserMediumTests.java

@@ -0,0 +1,71 @@
+/*
+ * SonarLint Core - Medium Tests
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package mediumtest.sca;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.UUID;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.OpenDependencyRiskInBrowserParams;
+import org.sonarsource.sonarlint.core.test.utils.junit5.SonarLintTest;
+import org.sonarsource.sonarlint.core.test.utils.junit5.SonarLintTestHarness;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.timeout;
+import static org.mockito.Mockito.verify;
+import static org.sonarsource.sonarlint.core.serverapi.UrlUtils.urlEncode;
+
+class OpenDependencyRiskInBrowserMediumTests {
+  public static final String CONNECTION_ID = "connectionId";
+  public static final String SCOPE_ID = "scopeId";
+  public static final String PROJECT_KEY = "projectKey";
+  public static final String DEPENDENCY_KEY = UUID.randomUUID().toString();
+  public static final String BRANCH_NAME = "master";
+
+  @SonarLintTest
+  void it_should_open_dependency_risk_in_sonarqube(SonarLintTestHarness harness) throws IOException {
+    var fakeClient = harness.newFakeClient().build();
+    var backend = harness.newBackend()
+      .withSonarQubeConnection(CONNECTION_ID, "http://localhost:12345", storage -> storage.withProject(PROJECT_KEY, project -> project.withMainBranch(BRANCH_NAME)))
+      .withBoundConfigScope(SCOPE_ID, CONNECTION_ID, PROJECT_KEY)
+      .withTelemetryEnabled()
+      .start(fakeClient);
+
+    backend.getScaService().openDependencyRiskInBrowser(new OpenDependencyRiskInBrowserParams(
+      SCOPE_ID, DEPENDENCY_KEY));
+
+    var expectedUrl = String.format("http://localhost:12345/dependency-risks/%s/what?id=%s&branch=%s",
+      urlEncode(DEPENDENCY_KEY), urlEncode(PROJECT_KEY), urlEncode(BRANCH_NAME));
+
+    verify(fakeClient, timeout(5000)).openUrlInBrowser(new URL(expectedUrl));
+  }
+
+  @SonarLintTest
+  void it_should_not_open_dependency_risk_if_unbound(SonarLintTestHarness harness) {
+    var fakeClient = harness.newFakeClient().build();
+    var backend = harness.newBackend()
+      .withUnboundConfigScope(SCOPE_ID)
+      .start(fakeClient);
+
+    backend.getScaService().openDependencyRiskInBrowser(new OpenDependencyRiskInBrowserParams(
+      SCOPE_ID, DEPENDENCY_KEY));
+
+    verify(fakeClient, timeout(5000).times(0)).openUrlInBrowser(any(URL.class));
+  }
+} 

rpc-protocol/src/main/java/org/sonarsource/sonarlint/core/rpc/protocol/backend/sca/OpenDependencyRiskInBrowserParams.java

@@ -0,0 +1,38 @@
+/*
+ * SonarLint Core - RPC Protocol
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarsource.sonarlint.core.rpc.protocol.backend.sca;
+
+public class OpenDependencyRiskInBrowserParams {
+  private final String configScopeId;
+  private final String dependencyKey;
+
+  public OpenDependencyRiskInBrowserParams(String configScopeId, String dependencyKey) {
+    this.configScopeId = configScopeId;
+    this.dependencyKey = dependencyKey;
+  }
+
+  public String getConfigScopeId() {
+    return configScopeId;
+  }
+
+  public String getDependencyKey() {
+    return dependencyKey;
+  }
+}

rpc-protocol/src/main/java/org/sonarsource/sonarlint/core/rpc/protocol/backend/sca/ScaRpcService.java

@@ -20,6 +20,7 @@
 package org.sonarsource.sonarlint.core.rpc.protocol.backend.sca;
 
 import java.util.concurrent.CompletableFuture;
+import org.eclipse.lsp4j.jsonrpc.services.JsonNotification;
 import org.eclipse.lsp4j.jsonrpc.services.JsonRequest;
 import org.eclipse.lsp4j.jsonrpc.services.JsonSegment;
 
@@ -52,4 +53,7 @@ public interface ScaRpcService {
    */
   @JsonRequest
   CompletableFuture<GetDependencyRiskDetailsResponse> getDependencyRiskDetails(GetDependencyRiskDetailsParams params);
+
+  @JsonNotification
+  void openDependencyRiskInBrowser(OpenDependencyRiskInBrowserParams params);
 }