feat: Add table for storing vulnerability resolution definitions

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

dao/src/main/kotlin/tables/VulnerabilityResolutionDefinitionsTable.kt

@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.dao.tables
+
+import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
+import org.eclipse.apoapsis.ortserver.dao.utils.jsonb
+import org.eclipse.apoapsis.ortserver.model.ChangeEventEntityType
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.OptionalValue
+
+import org.jetbrains.exposed.dao.id.LongIdTable
+import org.jetbrains.exposed.sql.ResultRow
+import org.jetbrains.exposed.sql.insertAndGetId
+import org.jetbrains.exposed.sql.update
+
+/**
+ * A table to store definitions of vulnerability resolutions.
+ */
+object VulnerabilityResolutionDefinitionsTable : LongIdTable("vulnerability_resolution_definitions") {
+    val repositoryId = reference("repository_id", RepositoriesTable)
+
+    val contextRunId = long("context_run_id")
+    val idMatchers = jsonb<List<String>>("id_matchers")
+    val reason = text("reason")
+    val comment = text("comment")
+    val archived = bool("archived").default(false)
+
+    fun insert(
+        hierarchyId: RepositoryId,
+        runIdInput: Long,
+        idMatchersInput: List<String>,
+        reasonInput: VulnerabilityResolutionReason,
+        commentInput: String
+    ): Long {
+        return insertAndGetId {
+            it[repositoryId] = hierarchyId.value
+            it[contextRunId] = runIdInput
+            it[idMatchers] = idMatchersInput
+            it[reason] = reasonInput.name
+            it[comment] = commentInput
+        }.value
+    }
+
+    fun get(definitionId: Long): VulnerabilityResolutionDefinition {
+        return select(columns)
+            .where { id eq definitionId }
+            .single()
+            .toVulnerabilityResolutionDefinition()
+    }
+
+    fun getOrNull(definitionId: Long): VulnerabilityResolutionDefinition? {
+        val row = select(columns)
+            .where { id eq definitionId }
+            .singleOrNull() ?: return null
+
+        return row.toVulnerabilityResolutionDefinition()
+    }
+
+    fun updateDefinition(
+        definitionId: Long,
+        idMatchersInput: OptionalValue<List<String>> = OptionalValue.Absent,
+        reasonInput: OptionalValue<VulnerabilityResolutionReason> = OptionalValue.Absent,
+        commentInput: OptionalValue<String> = OptionalValue.Absent,
+        archivedInput: OptionalValue<Boolean> = OptionalValue.Absent
+    ) {
+        update({ id eq definitionId }) { stmt ->
+            idMatchersInput.ifPresent { stmt[idMatchers] = it }
+            reasonInput.ifPresent { stmt[reason] = it.name }
+            commentInput.ifPresent { stmt[comment] = it }
+            archivedInput.ifPresent { stmt[archived] = it }
+        }
+    }
+
+    fun ResultRow.toVulnerabilityResolutionDefinition() = VulnerabilityResolutionDefinition(
+        this[id].value,
+        RepositoryId(this[repositoryId].value),
+        this[idMatchers],
+        VulnerabilityResolutionReason.valueOf(this[reason]),
+        this[comment],
+        this[archived],
+        ChangeLogTable.getAllByEntityTypeAndId(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            this[id].value.toString()
+        )
+    )
+}

dao/src/main/resources/db/migration/V122__addVulnerabilityResolutionDefinitionsTable.sql

@@ -0,0 +1,16 @@
+CREATE TABLE vulnerability_resolution_definitions
+(
+    id              bigserial   PRIMARY KEY,
+    repository_id   bigint      REFERENCES repositories         NOT NULL,
+    context_run_id  bigint                                      NOT NULL,
+    id_matchers     jsonb                                       NOT NULL,
+    reason          text                                        NOT NULL,
+    comment         text                                        NOT NULL,
+    archived        boolean     DEFAULT FALSE                   NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_vulnerability_resolution_definitions_repository_id
+ON vulnerability_resolution_definitions(repository_id);
+
+CREATE INDEX IF NOT EXISTS idx_vulnerability_resolution_definitions_context_run_id
+ON vulnerability_resolution_definitions(context_run_id);

model/src/commonMain/kotlin/VulnerabilityResolutionDefinition.kt

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+/*
+ * A data class representing a vulnerability resolution definition.
+ */
+data class VulnerabilityResolutionDefinition(
+    /** The unique identifier of the vulnerability resolution definition. */
+    val id: Long,
+
+    /**
+     * The ID of the hierarchy to which this vulnerability resolution definition is scoped to. In the initial
+     * implementation this is always the repository level.
+     */
+    val hierarchyId: RepositoryId,
+
+    /** The list of vulnerability ID matchers (regular expressions) to match the ids of the vulnerability to resolve. */
+    val idMatchers: List<String>,
+
+    /** The reason why the vulnerability is resolved. */
+    val reason: VulnerabilityResolutionReason,
+
+    /** A comment to further explain why the [reason] is applicable here. */
+    val comment: String,
+
+    /** Whether the vulnerability resolution definition is archived. */
+    val archived: Boolean,
+
+    /** The list of change events associated with this vulnerability resolution definition. */
+    val changes: List<ChangeEvent>
+)

model/src/commonMain/kotlin/VulnerabilityResolutionReason.kt

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+/**
+ * Possible reasons for resolving an [Vulnerability] using a [VulnerabilityResolution].
+ */
+enum class VulnerabilityResolutionReason {
+    /**
+     * No remediation is available for this vulnerability, e.g., because it requires a change to be made
+     * by a third party that is not responsive.
+     */
+    CANT_FIX_VULNERABILITY,
+
+    /**
+     * The code in which the vulnerability was found is neither invoked in the project's code nor indirectly
+     * via another open source component.
+     */
+    INEFFECTIVE_VULNERABILITY,
+
+    /**
+     * The vulnerability is irrelevant due to a tooling or database mismatch, e.g., the package version used
+     * does not match the version for which the vulnerability provider has reported a vulnerability.
+     */
+    INVALID_MATCH_VULNERABILITY,
+
+    /**
+     * The vulnerability is valid but has been mitigated, e.g., measures have been taken to ensure
+     * this vulnerability can not be exploited.
+     */
+    MITIGATED_VULNERABILITY,
+
+    /**
+     * The vulnerability was reported, and got a CVE assigned. However, the CVE was later deemed to not be a
+     * vulnerability.
+     */
+    NOT_A_VULNERABILITY,
+
+    /**
+     * This vulnerability will never be fixed, e.g., because the package which is affected is orphaned,
+     * declared end-of-life, or otherwise deprecated.
+     */
+    WILL_NOT_FIX_VULNERABILITY,
+
+    /**
+     * The vulnerability is valid but a temporary workaround has been put in place to avoid exposure
+     * to the vulnerability.
+     */
+    WORKAROUND_FOR_VULNERABILITY
+}