SLCORE-1528 Allow clients to fetch Dependency Risk description fields

Author: damien-urruty-sonarsource

API_CHANGES.md

@@ -5,6 +5,7 @@
 * Allow changing status of SCA issues via `org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService.changeStatus`.
   * Required parameters are `configScopeId`, `issueId` and `transition`.
   * If transition is `ACCEPT`, `FIXED`, or `SAFE`, a `comment` field is mandatory
+* Add a new `org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService.getDependencyRiskDetails`.
 
 # 10.26
 

backend/core/src/main/java/org/sonarsource/sonarlint/core/sca/ScaService.java

@@ -21,12 +21,19 @@
 
 import java.util.UUID;
 import javax.annotation.CheckForNull;
+import org.eclipse.lsp4j.jsonrpc.ResponseErrorException;
+import org.eclipse.lsp4j.jsonrpc.messages.ResponseError;
 import org.sonarsource.sonarlint.core.SonarQubeClientManager;
 import org.sonarsource.sonarlint.core.branch.SonarProjectBranchTrackingService;
 import org.sonarsource.sonarlint.core.commons.log.SonarLintLogger;
 import org.sonarsource.sonarlint.core.commons.progress.SonarLintCancelMonitor;
 import org.sonarsource.sonarlint.core.repository.config.ConfigurationRepository;
+import org.sonarsource.sonarlint.core.rpc.protocol.SonarLintRpcErrorCode;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.DependencyRiskTransition;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.AffectedPackageDto;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsResponse;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.tracking.ScaIssueDto;
+import org.sonarsource.sonarlint.core.serverapi.sca.GetIssueReleaseResponse;
 import org.sonarsource.sonarlint.core.serverconnection.issues.ServerScaIssue;
 import org.sonarsource.sonarlint.core.storage.StorageService;
 
@@ -80,6 +87,23 @@ public void changeStatus(String configurationScopeId, UUID issueReleaseKey, Depe
     serverConnection.withClientApi(serverApi -> serverApi.sca().changeStatus(issueReleaseKey, transition.name(), comment, cancelMonitor));
   }
 
+  public GetDependencyRiskDetailsResponse getDependencyRiskDetails(String configurationScopeId, String dependencyRiskKey, SonarLintCancelMonitor cancelMonitor) {
+    var configScope = configurationRepository.getConfigurationScope(configurationScopeId);
+    if (configScope == null) {
+      var error = new ResponseError(SonarLintRpcErrorCode.CONFIG_SCOPE_NOT_FOUND, "The provided configuration scope does not exist: " + configurationScopeId, configurationScopeId);
+      throw new ResponseErrorException(error);
+    }
+    var effectiveBinding = configurationRepository.getEffectiveBinding(configurationScopeId);
+    if (effectiveBinding.isEmpty()) {
+      var error = new ResponseError(SonarLintRpcErrorCode.CONFIG_SCOPE_NOT_BOUND,
+        "The provided configuration scope is not bound to a SonarQube/SonarCloud project: " + configurationScopeId, configurationScopeId);
+      throw new ResponseErrorException(error);
+    }
+    var apiClient = sonarQubeClientManager.getClientOrThrow(effectiveBinding.get().connectionId());
+    var serverResponse = apiClient.withClientApiAndReturn(serverApi -> serverApi.sca().getIssueRelease(dependencyRiskKey, cancelMonitor));
+    return convertToRpcResponse(serverResponse);
+  }
+
   private static ServerScaIssue.Transition adaptTransition(DependencyRiskTransition transition) {
     return switch (transition) {
       case REOPEN -> ServerScaIssue.Transition.REOPEN;
@@ -90,6 +114,31 @@ private static ServerScaIssue.Transition adaptTransition(DependencyRiskTransitio
     };
   }
 
+  private static GetDependencyRiskDetailsResponse convertToRpcResponse(GetIssueReleaseResponse serverResponse) {
+    var affectedPackages = serverResponse.affectedPackages().stream()
+      .map(pkg -> AffectedPackageDto.builder()
+        .purl(pkg.purl())
+        .recommendation(pkg.recommendation())
+        .impactScore(pkg.recommendationDetails().impactScore())
+        .impactDescription(pkg.recommendationDetails().impactDescription())
+        .realIssue(pkg.recommendationDetails().realIssue())
+        .falsePositiveReason(pkg.recommendationDetails().falsePositiveReason())
+        .includesDev(pkg.recommendationDetails().includesDev())
+        .specificMethodsAffected(pkg.recommendationDetails().specificMethodsAffected())
+        .specificMethodsDescription(pkg.recommendationDetails().specificMethodsDescription())
+        .otherConditions(pkg.recommendationDetails().otherConditions())
+        .otherConditionsDescription(pkg.recommendationDetails().otherConditionsDescription())
+        .workaroundAvailable(pkg.recommendationDetails().workaroundAvailable())
+        .workaroundDescription(pkg.recommendationDetails().workaroundDescription())
+        .visibility(pkg.recommendationDetails().visibility())
+        .build())
+      .toList();
+
+    return new GetDependencyRiskDetailsResponse(serverResponse.key(), ScaIssueDto.Severity.valueOf(serverResponse.severity().name()), serverResponse.release().packageName(),
+      serverResponse.release().version(), ScaIssueDto.Type.valueOf(serverResponse.type().name()), serverResponse.vulnerability().vulnerabilityId(),
+      serverResponse.vulnerability().description(), affectedPackages);
+  }
+
   public static class ScaIssueNotFoundException extends RuntimeException {
     private final String issueKey;
 

backend/rpc-impl/src/main/java/org/sonarsource/sonarlint/core/rpc/impl/ScaRpcServiceDelegate.java

@@ -24,6 +24,8 @@
 import org.eclipse.lsp4j.jsonrpc.messages.ResponseError;
 import org.sonarsource.sonarlint.core.rpc.protocol.SonarLintRpcErrorCode;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ChangeScaIssueStatusParams;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsParams;
+import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.GetDependencyRiskDetailsResponse;
 import org.sonarsource.sonarlint.core.rpc.protocol.backend.sca.ScaRpcService;
 import org.sonarsource.sonarlint.core.sca.ScaService;
 
@@ -44,7 +46,7 @@ public CompletableFuture<Void> changeStatus(ChangeScaIssueStatusParams params) {
           params.getComment(),
           cancelMonitor);
       } catch (ScaService.ScaIssueNotFoundException e) {
-        var error = new ResponseError(SonarLintRpcErrorCode.ISSUE_NOT_FOUND, 
+        var error = new ResponseError(SonarLintRpcErrorCode.ISSUE_NOT_FOUND,
           "Dependency Risk with key " + e.getIssueKey() + " was not found", e.getIssueKey());
         throw new ResponseErrorException(error);
       } catch (IllegalArgumentException e) {
@@ -53,4 +55,10 @@ public CompletableFuture<Void> changeStatus(ChangeScaIssueStatusParams params) {
       }
     }, params.getConfigurationScopeId());
   }
+
+  @Override
+  public CompletableFuture<GetDependencyRiskDetailsResponse> getDependencyRiskDetails(GetDependencyRiskDetailsParams params) {
+    return requestAsync(cancelMonitor -> getBean(ScaService.class)
+      .getDependencyRiskDetails(params.getConfigurationScopeId(), params.getDependencyRiskKey(), cancelMonitor), params.getConfigurationScopeId());
+  }
 }

backend/server-api/src/main/java/org/sonarsource/sonarlint/core/serverapi/sca/GetIssueReleaseResponse.java

@@ -0,0 +1,59 @@
+/*
+ * SonarLint Core - Server API
+ * Copyright (C) 2016-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarsource.sonarlint.core.serverapi.sca;
+
+import java.util.List;
+
+public record GetIssueReleaseResponse(String key, Severity severity, Release release, Type type, Vulnerability vulnerability, List<AffectedPackage> affectedPackages) {
+  public enum Severity {
+    INFO, LOW, MEDIUM, HIGH, BLOCKER
+  }
+
+  public record Release(String packageName, String version) {
+  }
+
+  public enum Type {
+    VULNERABILITY, PROHIBITED_LICENSE
+  }
+
+  public record Vulnerability(String vulnerabilityId, String description) {
+  }
+
+  public record AffectedPackage(
+    String purl,
+    String recommendation,
+    RecommendationDetails recommendationDetails) {
+  }
+
+  public record RecommendationDetails(
+    int impactScore,
+    String impactDescription,
+    boolean realIssue,
+    String falsePositiveReason,
+    boolean includesDev,
+    boolean specificMethodsAffected,
+    String specificMethodsDescription,
+    boolean otherConditions,
+    String otherConditionsDescription,
+    boolean workaroundAvailable,
+    String workaroundDescription,
+    String visibility) {
+  }
+}

backend/server-api/src/main/java/org/sonarsource/sonarlint/core/serverapi/sca/ScaApi.java

@@ -59,6 +59,13 @@ public GetIssuesReleasesResponse getIssuesReleases(String projectKey, String bra
     return new GetIssuesReleasesResponse(allIssuesReleases, new GetIssuesReleasesResponse.Page(allIssuesReleases.size()));
   }
 
+  public GetIssueReleaseResponse getIssueRelease(String key, SonarLintCancelMonitor cancelMonitor) {
+    var url = "/api/v2/sca/issues-releases/" + UrlUtils.urlEncode(key);
+    try (var response = serverApiHelper.get(url, cancelMonitor)) {
+      return new Gson().fromJson(new InputStreamReader(response.bodyAsStream(), StandardCharsets.UTF_8), GetIssueReleaseResponse.class);
+    }
+  }
+
   public void changeStatus(UUID issueReleaseKey, String transitionKey, String comment, SonarLintCancelMonitor cancelMonitor) {
     var body = new ChangeStatusRequestBody(issueReleaseKey.toString(), transitionKey, comment);
     var url = "/api/v2/sca/issues-releases/change-status";