eclipse-apoapsis
diff --git a/‎components/resolutions/api-model/src/commonMain/kotlin/PostVulnerabilityResolution.kt‎
Lines changed: 44 additions & 0 deletions b/‎components/resolutions/api-model/src/commonMain/kotlin/PostVulnerabilityResolution.kt‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt‎
Lines changed: 78 additions & 0 deletions b/‎components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎components/resolutions/backend/src/routes/kotlin/Routing.kt‎
Lines changed: 33 additions & 0 deletions b/‎components/resolutions/backend/src/routes/kotlin/Routing.kt‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/PostVulnerabilityResolution.kt‎
Lines changed: 126 additions & 0 deletions b/‎components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/PostVulnerabilityResolution.kt‎
Lines changed: 126 additions & 0 deletions
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions
+
+import kotlinx.serialization.Serializable
+
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+
+/**
+ * The request object for creating a vulnerability resolution.
+ */
+@Serializable
+data class PostVulnerabilityResolution(
+    /** The ID of the run in which context the vulnerability resolution is made in. */
+    val contextRunId: Long,
+
+    /**
+     * The list of vulnerability ID matchers (regular expressions) to match the ids of the vulnerabilities to resolve.
+     */
+    val idMatchers: List<String>,
+
+    /** The reason why the vulnerability is resolved. */
+    val reason: VulnerabilityResolutionReason,
+
+    /** A comment to further explain why the [reason] is applicable here. */
+    val comment: String
+)
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions
+
+import org.eclipse.apoapsis.ortserver.dao.dbQuery
+import org.eclipse.apoapsis.ortserver.dao.repositories.userDisplayName.UserDisplayNameDao
+import org.eclipse.apoapsis.ortserver.dao.tables.ChangeLogTable
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
+import org.eclipse.apoapsis.ortserver.model.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.model.ChangeEventEntityType
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
+
+import org.jetbrains.exposed.sql.Database
+
+/**
+ * Service class for managing vulnerability resolution definitions.
+ */
+class VulnerabilityResolutionDefinitionService(private val db: Database, private val ortRunService: OrtRunService) {
+    suspend fun create(
+        hierarchyId: RepositoryId,
+        contextRunId: Long,
+        userDisplayName: UserDisplayName,
+        idMatchers: List<String>,
+        reason: VulnerabilityResolutionReason,
+        comment: String
+    ): VulnerabilityResolutionDefinition = db.dbQuery {
+        val id = VulnerabilityResolutionDefinitionsTable.insert(
+            hierarchyId,
+            contextRunId,
+            idMatchers,
+            reason,
+            comment
+        )
+
+        addChangeLogEvent(id, ChangeEventAction.CREATE, userDisplayName)
+
+        ortRunService.markAsOutdated(listOf(contextRunId), "New vulnerability resolution added.")
+
+        VulnerabilityResolutionDefinitionsTable.get(id)
+    }
+
+    private fun addChangeLogEvent(
+        entityId: Long,
+        action: ChangeEventAction,
+        userDisplayName: UserDisplayName
+    ) {
+        val user =
+            UserDisplayNameDao.insertOrUpdate(userDisplayName) ?: throw NullPointerException("No user created or found")
+
+        ChangeLogTable.insert(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            entityId.toString(),
+            user.id.value,
+            action
+        )
+    }
+}
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions
+
+import io.ktor.server.routing.Route
+
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolution
+import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
+
+/** Add all resolutions routes. */
+fun Route.resolutionsRoutes(
+    ortRunService: OrtRunService,
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) {
+    postVulnerabilityResolution(ortRunService, vulnerabilityResolutionDefinitionService)
+}
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.post
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.request.receive
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.PostVulnerabilityResolution
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.postVulnerabilityResolution(
+    ortRunService: OrtRunService,
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = post("/resolutions/vulnerabilities", {
+    operationId = "postVulnerabilityResolution"
+    summary = "Create a vulnerability resolution"
+    tags = listOf("Resolutions")
+
+    request {
+        jsonBody<PostVulnerabilityResolution> {
+            example("Create Vulnerability Resolution") {
+                value = PostVulnerabilityResolution(
+                    contextRunId = 1,
+                    idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                    reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                    comment = "Comment"
+                )
+            }
+        }
+    }
+
+    response {
+        HttpStatusCode.Created to {
+            description = "Success"
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Create Vulnerability Resolution") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                        comment = "Comment",
+                        archived = false,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                ChangeEventAction.CREATE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+    }
+}) {
+    val createResolution = call.receive<PostVulnerabilityResolution>()
+
+    val repositoryId = ortRunService.getRepositoryIdForOrtRun(createResolution.contextRunId)
+        ?: throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(repositoryId))
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@post
+    }
+
+    val vulnerabilityResolutionDefinition = vulnerabilityResolutionDefinitionService.create(
+        RepositoryId(repositoryId),
+        createResolution.contextRunId,
+        userDisplayName,
+        createResolution.idMatchers,
+        createResolution.reason.mapToModel(),
+        createResolution.comment
+    ).mapToApi()
+
+    call.respond(HttpStatusCode.Created, vulnerabilityResolutionDefinition)
+}