feat: Add table for storing vulnerability resolution definitions

The vulnerability resolution definitions will be used to allow users to
make vulnerability resolutions on the server, after which they will be
injected into repository configuration for runs.

In the first implementation, the scope of the resolutions will be the
repository. The definition allows to add multiple ID matchers in case the
same vulnerability is found with different external IDs from different
advisors.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

dao/src/main/kotlin/tables/VulnerabilityResolutionDefinitionsTable.kt

@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.dao.tables
+
+import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
+import org.eclipse.apoapsis.ortserver.dao.utils.jsonb
+import org.eclipse.apoapsis.ortserver.model.ChangeEventEntityType
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.OptionalValue
+
+import org.jetbrains.exposed.dao.id.LongIdTable
+import org.jetbrains.exposed.sql.ResultRow
+import org.jetbrains.exposed.sql.insertAndGetId
+import org.jetbrains.exposed.sql.update
+
+/**
+ * A table to store definitions of vulnerability resolutions.
+ */
+object VulnerabilityResolutionDefinitionsTable : LongIdTable("vulnerability_resolution_definitions") {
+    val repositoryId = reference("repository_id", RepositoriesTable)
+
+    val contextRunId = long("context_run_id")
+    val idMatchers = jsonb<List<String>>("id_matchers")
+    val reason = text("reason")
+    val comment = text("comment")
+    val archived = bool("archived").default(false)
+
+    fun insert(
+        hierarchyId: RepositoryId,
+        runIdInput: Long,
+        idMatchersInput: List<String>,
+        reasonInput: VulnerabilityResolutionReason,
+        commentInput: String
+    ): Long {
+        return insertAndGetId {
+            it[repositoryId] = hierarchyId.value
+            it[contextRunId] = runIdInput
+            it[idMatchers] = idMatchersInput
+            it[reason] = reasonInput.name
+            it[comment] = commentInput
+        }.value
+    }
+
+    fun get(definitionId: Long): VulnerabilityResolutionDefinition {
+        return select(columns)
+            .where { id eq definitionId }
+            .single()
+            .toVulnerabilityResolutionDefinition()
+    }
+
+    fun getOrNull(definitionId: Long): VulnerabilityResolutionDefinition? {
+        val row = select(columns)
+            .where { id eq definitionId }
+            .singleOrNull() ?: return null
+
+        return row.toVulnerabilityResolutionDefinition()
+    }
+
+    fun updateDefinition(
+        definitionId: Long,
+        idMatchersInput: OptionalValue<List<String>> = OptionalValue.Absent,
+        reasonInput: OptionalValue<VulnerabilityResolutionReason> = OptionalValue.Absent,
+        commentInput: OptionalValue<String> = OptionalValue.Absent,
+        archivedInput: OptionalValue<Boolean> = OptionalValue.Absent
+    ) {
+        update({ id eq definitionId }) { stmt ->
+            idMatchersInput.ifPresent { stmt[idMatchers] = it }
+            reasonInput.ifPresent { stmt[reason] = it.name }
+            commentInput.ifPresent { stmt[comment] = it }
+            archivedInput.ifPresent { stmt[archived] = it }
+        }
+    }
+
+    fun ResultRow.toVulnerabilityResolutionDefinition() = VulnerabilityResolutionDefinition(
+        this[id].value,
+        RepositoryId(this[repositoryId].value),
+        this[idMatchers],
+        VulnerabilityResolutionReason.valueOf(this[reason]),
+        this[comment],
+        this[archived],
+        ChangeLogTable.getAllByEntityTypeAndId(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            this[id].value.toString()
+        )
+    )
+}

dao/src/main/resources/db/migration/V122__addVulnerabilityResolutionDefinitionsTable.sql

@@ -0,0 +1,16 @@
+CREATE TABLE vulnerability_resolution_definitions
+(
+    id              bigserial   PRIMARY KEY,
+    repository_id   bigint      REFERENCES repositories         NOT NULL,
+    context_run_id  bigint                                      NOT NULL,
+    id_matchers     jsonb                                       NOT NULL,
+    reason          text                                        NOT NULL,
+    comment         text                                        NOT NULL,
+    archived        boolean     DEFAULT FALSE                   NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_vulnerability_resolution_definitions_repository_id
+ON vulnerability_resolution_definitions(repository_id);
+
+CREATE INDEX IF NOT EXISTS idx_vulnerability_resolution_definitions_context_run_id
+ON vulnerability_resolution_definitions(context_run_id);

model/src/commonMain/kotlin/VulnerabilityResolutionDefinition.kt

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+/*
+ * A data class representing a vulnerability resolution definition.
+ */
+data class VulnerabilityResolutionDefinition(
+    /** The unique identifier of the vulnerability resolution definition. */
+    val id: Long,
+
+    /**
+     * The ID of the hierarchy to which this vulnerability resolution definition is scoped to. In the initial
+     * implementation this is always the repository level.
+     */
+    val hierarchyId: RepositoryId,
+
+    /** The list of vulnerability ID matchers (regular expressions) to match the ids of the vulnerability to resolve. */
+    val idMatchers: List<String>,
+
+    /** The reason why the vulnerability is resolved. */
+    val reason: VulnerabilityResolutionReason,
+
+    /** A comment to further explain why the [reason] is applicable here. */
+    val comment: String,
+
+    /** Whether the vulnerability resolution definition is archived. */
+    val archived: Boolean,
+
+    /** The list of change events associated with this vulnerability resolution definition. */
+    val changes: List<ChangeEvent>
+)

model/src/commonMain/kotlin/VulnerabilityResolutionReason.kt

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+/**
+ * Possible reasons for resolving an [Vulnerability] using a [VulnerabilityResolution].
+ */
+enum class VulnerabilityResolutionReason {
+    /**
+     * No remediation is available for this vulnerability, e.g., because it requires a change to be made
+     * by a third party that is not responsive.
+     */
+    CANT_FIX_VULNERABILITY,
+
+    /**
+     * The code in which the vulnerability was found is neither invoked in the project's code nor indirectly
+     * via another open source component.
+     */
+    INEFFECTIVE_VULNERABILITY,
+
+    /**
+     * The vulnerability is irrelevant due to a tooling or database mismatch, e.g., the package version used
+     * does not match the version for which the vulnerability provider has reported a vulnerability.
+     */
+    INVALID_MATCH_VULNERABILITY,
+
+    /**
+     * The vulnerability is valid but has been mitigated, e.g., measures have been taken to ensure
+     * this vulnerability can not be exploited.
+     */
+    MITIGATED_VULNERABILITY,
+
+    /**
+     * The vulnerability was reported, and got a CVE assigned. However, the CVE was later deemed to not be a
+     * vulnerability.
+     */
+    NOT_A_VULNERABILITY,
+
+    /**
+     * This vulnerability will never be fixed, e.g., because the package which is affected is orphaned,
+     * declared end-of-life, or otherwise deprecated.
+     */
+    WILL_NOT_FIX_VULNERABILITY,
+
+    /**
+     * The vulnerability is valid but a temporary workaround has been put in place to avoid exposure
+     * to the vulnerability.
+     */
+    WORKAROUND_FOR_VULNERABILITY
+}