SLCORE-1525 allow changing status of SCA issues

Author: sophio-japharidze-sonarsource

API_CHANGES.md

@@ -1,3 +1,11 @@
+# 10.27
+
+## New features
+
+* Allow changing status of SCA issues via `org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService.changeStatus`.
+  * Required parameters are `configScopeId`, `issueId` and `transition`.
+  * If transition is `ACCEPT`, `FIXED`, or `SAFE`, a `comment` field is mandatory
+
 # 10.26
 
 ## New features

backend/core/src/main/java/org/sonarsource/sonarlint/core/sca/ScaService.java

@@ -0,0 +1,105 @@
+/*
+ * SonarLint Core - Implementation
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarsource.sonarlint.core.sca;
+
+import java.util.UUID;
+import javax.annotation.CheckForNull;
+import org.sonarsource.sonarlint.core.SonarQubeClientManager;
+import org.sonarsource.sonarlint.core.branch.SonarProjectBranchTrackingService;
+import org.sonarsource.sonarlint.core.commons.log.SonarLintLogger;
+import org.sonarsource.sonarlint.core.commons.progress.SonarLintCancelMonitor;
+import org.sonarsource.sonarlint.core.repository.config.ConfigurationRepository;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.DependencyRiskTransition;
+import org.sonarsource.sonarlint.core.serverconnection.issues.ServerScaIssue;
+import org.sonarsource.sonarlint.core.storage.StorageService;
+
+public class ScaService {
+  private static final SonarLintLogger LOG = SonarLintLogger.get();
+
+  private final ConfigurationRepository configurationRepository;
+  private final StorageService storageService;
+  private final SonarQubeClientManager sonarQubeClientManager;
+  private final SonarProjectBranchTrackingService branchTrackingService;
+
+  public ScaService(ConfigurationRepository configurationRepository, StorageService storageService, SonarQubeClientManager sonarQubeClientManager,
+    SonarProjectBranchTrackingService branchTrackingService) {
+    this.configurationRepository = configurationRepository;
+    this.storageService = storageService;
+    this.sonarQubeClientManager = sonarQubeClientManager;
+    this.branchTrackingService = branchTrackingService;
+  }
+
+  public void changeStatus(String configurationScopeId, UUID issueReleaseKey, DependencyRiskTransition transition, @CheckForNull String comment,
+    SonarLintCancelMonitor cancelMonitor) {
+    var binding = configurationRepository.getEffectiveBindingOrThrow(configurationScopeId);
+    var serverConnection = sonarQubeClientManager.getClientOrThrow(binding.connectionId());
+    var projectServerIssueStore = storageService.binding(binding).findings();
+    var branchName = branchTrackingService.awaitEffectiveSonarProjectBranch(configurationScopeId);
+
+    if (branchName.isEmpty()) {
+      throw new IllegalArgumentException("Could not determine matched branch for configuration scope " + configurationScopeId);
+    }
+
+    var scaIssues = projectServerIssueStore.loadScaIssues(branchName.get());
+    var dependencyRiskOpt = scaIssues.stream().filter(issue -> issue.key().equals(issueReleaseKey)).findFirst();
+
+    if (dependencyRiskOpt.isEmpty()) {
+      throw new ScaIssueNotFoundException("Dependency Risk with key " + issueReleaseKey.toString() + " was not found", issueReleaseKey.toString());
+    }
+
+    var dependencyRisk = dependencyRiskOpt.get();
+
+    if (!dependencyRisk.transitions().contains(adaptTransition(transition))) {
+      throw new IllegalArgumentException("Transition " + transition + " is not allowed for this SCA issue");
+    }
+
+    if ((transition == DependencyRiskTransition.ACCEPT || transition == DependencyRiskTransition.SAFE || transition == DependencyRiskTransition.FIXED)
+      && (comment == null || comment.isBlank())) {
+      throw new IllegalArgumentException("Comment is required for ACCEPT, FIXED, and SAFE transitions");
+    }
+
+    LOG.info("Changing SCA issue status for issue {} to {} with comment: {}", issueReleaseKey, transition, comment);
+
+    serverConnection.withClientApi(serverApi -> serverApi.sca().changeStatus(issueReleaseKey, transition.name(), comment, cancelMonitor));
+  }
+
+  private static ServerScaIssue.Transition adaptTransition(DependencyRiskTransition transition) {
+    return switch (transition) {
+      case REOPEN -> ServerScaIssue.Transition.REOPEN;
+      case CONFIRM -> ServerScaIssue.Transition.CONFIRM;
+      case ACCEPT -> ServerScaIssue.Transition.ACCEPT;
+      case SAFE -> ServerScaIssue.Transition.SAFE;
+      case FIXED -> ServerScaIssue.Transition.FIXED;
+    };
+  }
+
+  public static class ScaIssueNotFoundException extends RuntimeException {
+    private final String issueKey;
+
+    public ScaIssueNotFoundException(String message, String issueKey) {
+      super(message);
+      this.issueKey = issueKey;
+    }
+
+    public String getIssueKey() {
+      return issueKey;
+    }
+  }
+}

backend/core/src/main/java/org/sonarsource/sonarlint/core/spring/SonarLintSpringAppConfig.java

@@ -99,6 +99,7 @@
 import org.sonarsource.sonarlint.core.sync.HotspotSynchronizationService;
 import org.sonarsource.sonarlint.core.sync.IssueSynchronizationService;
 import org.sonarsource.sonarlint.core.sync.ScaSynchronizationService;
+import org.sonarsource.sonarlint.core.sca.ScaService;
 import org.sonarsource.sonarlint.core.sync.SonarProjectBranchesSynchronizationService;
 import org.sonarsource.sonarlint.core.sync.SynchronizationService;
 import org.sonarsource.sonarlint.core.sync.TaintSynchronizationService;
@@ -195,6 +196,7 @@
   AiCodeFixService.class,
   ClientAwareTaskManager.class,
   ScaSynchronizationService.class,
+  ScaService.class,
 })
 public class SonarLintSpringAppConfig {
 

backend/rpc-impl/src/main/java/org/sonarsource/sonarlint/core/rpc/impl/ScaRpcServiceDelegate.java

@@ -0,0 +1,56 @@
+/*
+ * SonarLint Core - RPC Implementation
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarsource.sonarlint.core.rpc.impl;
+
+import java.util.concurrent.CompletableFuture;
+import org.eclipse.lsp4j.jsonrpc.ResponseErrorException;
+import org.eclipse.lsp4j.jsonrpc.messages.ResponseError;
+import org.sonarsource.sonarlint.core.rpc.protocol.SonarLintRpcErrorCode;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ChangeScaIssueStatusParams;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService;
+import org.sonarsource.sonarlint.core.sca.ScaService;
+
+public class ScaRpcServiceDelegate extends AbstractRpcServiceDelegate implements ScaRpcService {
+
+  public ScaRpcServiceDelegate(SonarLintRpcServerImpl server) {
+    super(server);
+  }
+
+  @Override
+  public CompletableFuture<Void> changeStatus(ChangeScaIssueStatusParams params) {
+    return runAsync(cancelMonitor -> {
+      try {
+        getBean(ScaService.class).changeStatus(
+          params.getConfigurationScopeId(),
+          params.getIssueReleaseKey(),
+          params.getTransition(),
+          params.getComment(),
+          cancelMonitor);
+      } catch (ScaService.ScaIssueNotFoundException e) {
+        var error = new ResponseError(SonarLintRpcErrorCode.ISSUE_NOT_FOUND, 
+          "Dependency Risk with key " + e.getIssueKey() + " was not found", e.getIssueKey());
+        throw new ResponseErrorException(error);
+      } catch (IllegalArgumentException e) {
+        var error = new ResponseError(SonarLintRpcErrorCode.INVALID_ARGUMENT, e.getMessage(), null);
+        throw new ResponseErrorException(error);
+      }
+    }, params.getConfigurationScopeId());
+  }
+}

backend/rpc-impl/src/main/java/org/sonarsource/sonarlint/core/rpc/impl/SonarLintRpcServerImpl.java

@@ -63,6 +63,7 @@
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.progress.TaskProgressRpcService;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.remediation.aicodefix.AiCodeFixRpcService;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.rules.RulesRpcService;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.telemetry.TelemetryRpcService;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.ScaIssueTrackingRpcService;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.TaintVulnerabilityTrackingRpcService;
@@ -242,6 +243,11 @@ public TaskProgressRpcService getTaskProgressRpcService() {
     return new TaskProgressRpcServiceDelegate(this);
   }
 
+  @Override
+  public ScaRpcService getScaService() {
+    return new ScaRpcServiceDelegate(this);
+  }
+
   @Override
   public CompletableFuture<Void> shutdown() {
     LOG.info("SonarLint backend shutting down, instance={}", this);

backend/server-api/src/main/java/org/sonarsource/sonarlint/core/serverapi/sca/ScaApi.java

@@ -23,10 +23,13 @@
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.UUID;
 import org.sonarsource.sonarlint.core.commons.progress.SonarLintCancelMonitor;
 import org.sonarsource.sonarlint.core.serverapi.ServerApiHelper;
 import org.sonarsource.sonarlint.core.serverapi.UrlUtils;
 
+import static org.sonarsource.sonarlint.core.http.HttpClient.JSON_CONTENT_TYPE;
+
 public class ScaApi {
 
   private final ServerApiHelper serverApiHelper;
@@ -56,4 +59,17 @@ public GetIssuesReleasesResponse getIssuesReleases(String projectKey, String bra
     return new GetIssuesReleasesResponse(allIssuesReleases, new GetIssuesReleasesResponse.Page(allIssuesReleases.size()));
   }
 
+  public void changeStatus(UUID issueReleaseKey, String transitionKey, String comment, SonarLintCancelMonitor cancelMonitor) {
+    var body = new ChangeStatusRequestBody(issueReleaseKey.toString(), transitionKey, comment);
+    var url = "/api/v2/sca/issues-releases/change-status";
+
+    serverApiHelper.post(url, JSON_CONTENT_TYPE, body.toJson(), cancelMonitor);
+  }
+
+  private record ChangeStatusRequestBody(String issueReleaseKey, String transitionKey, String comment) {
+    public String toJson() {
+      return new Gson().toJson(this);
+    }
+  }
+
 }