feat: Edit returning resolutions for vulnerabilities

If the vulnerability resolution has been defined in the server, add the
definition for the resolution in the vulnerabilities for run query.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt

@@ -92,6 +92,7 @@ import org.eclipse.apoapsis.ortserver.model.AdvisorJob
 import org.eclipse.apoapsis.ortserver.model.AdvisorJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.AnalyzerJob
 import org.eclipse.apoapsis.ortserver.model.AnalyzerJobConfiguration
+import org.eclipse.apoapsis.ortserver.model.AppliedVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.model.ContentManagementSection
 import org.eclipse.apoapsis.ortserver.model.EcosystemStats
 import org.eclipse.apoapsis.ortserver.model.EnvironmentConfig
@@ -597,6 +598,14 @@ fun AdvisorDetails.mapToApi() = ApiAdvisorDetails(
     capabilities = capabilities.map { ApiAdvisorCapability.valueOf(it.name) }.toSet()
 )
 
+fun AppliedVulnerabilityResolution.mapToApi() =
+    ApiVulnerabilityResolution(
+        externalId = resolution.externalId,
+        reason = resolution.reason,
+        comment = resolution.comment,
+        definition = definition?.mapToApi()
+    )
+
 fun VulnerabilityWithDetails.mapToApi() =
     ApiVulnerabilityWithDetails(
         vulnerability = vulnerability.mapToApi(),

api/v1/model/src/commonMain/kotlin/VulnerabilityResolution.kt

@@ -21,6 +21,8 @@ package org.eclipse.apoapsis.ortserver.api.v1.model
 
 import kotlinx.serialization.Serializable
 
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+
 /**
  * Defines the resolution of a Vulnerability. This can be used to silence false positives, or vulnerabilities that
  * have been identified as not being relevant.
@@ -29,5 +31,8 @@ import kotlinx.serialization.Serializable
 data class VulnerabilityResolution(
     val externalId: String,
     val reason: String,
-    val comment: String
+    val comment: String,
+
+    /** The definition of the [VulnerabilityResolution], if available. */
+    val definition: VulnerabilityResolutionDefinition? = null
 )

core/src/main/kotlin/apiDocs/RunsDocs.kt

@@ -58,12 +58,16 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityRating
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityReference
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.api.v1.model.VulnerabilityWithDetails
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
 import org.eclipse.apoapsis.ortserver.shared.apimodel.PagedResponse
 import org.eclipse.apoapsis.ortserver.shared.apimodel.PagedSearchResponse
 import org.eclipse.apoapsis.ortserver.shared.apimodel.PagingData
 import org.eclipse.apoapsis.ortserver.shared.apimodel.SortDirection
 import org.eclipse.apoapsis.ortserver.shared.apimodel.SortProperty
 import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.standardListQueryParameters
 
@@ -300,7 +304,21 @@ val getRunVulnerabilities: RouteConfig.() -> Unit = {
                                     VulnerabilityResolution(
                                         externalId = "CVE-2021-1234",
                                         reason = "INEFFECTIVE_VULNERABILITY",
-                                        comment = "A comment why the vulnerability can be resolved."
+                                        comment = "A comment why the vulnerability can be resolved.",
+                                        definition = VulnerabilityResolutionDefinition(
+                                            id = 1,
+                                            idMatchers = listOf("CVE-2021-1234"),
+                                            reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                                            comment = "A comment why the vulnerability can be resolved.",
+                                            archived = false,
+                                            changes = listOf(
+                                                ChangeEvent(
+                                                    user = UserDisplayName(username = "test"),
+                                                    occurredAt = CREATED_AT,
+                                                    action = ChangeEventAction.CREATE
+                                                )
+                                            )
+                                        )
                                     )
                                 ),
                                 advisor = AdvisorDetails(

core/src/test/kotlin/api/RunsRouteIntegrationTest.kt

@@ -101,9 +101,11 @@ import org.eclipse.apoapsis.ortserver.model.LogSource
 import org.eclipse.apoapsis.ortserver.model.OrtRun
 import org.eclipse.apoapsis.ortserver.model.OrtRunStatus
 import org.eclipse.apoapsis.ortserver.model.PluginConfig
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.Severity
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.model.repositories.OrtRunRepository
 import org.eclipse.apoapsis.ortserver.model.runs.AnalyzerConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.Environment
@@ -131,6 +133,8 @@ import org.eclipse.apoapsis.ortserver.shared.apimodel.PagedResponse
 import org.eclipse.apoapsis.ortserver.shared.apimodel.PagedSearchResponse
 import org.eclipse.apoapsis.ortserver.shared.apimodel.SortDirection
 import org.eclipse.apoapsis.ortserver.shared.apimodel.SortProperty
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason as ApiVulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.shouldHaveBody
 import org.eclipse.apoapsis.ortserver.storage.Key
 import org.eclipse.apoapsis.ortserver.storage.Storage
@@ -811,6 +815,68 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "return the definition of the vulnerability resolution if it originated from the server" {
+            integrationTestApplication {
+                val run1 = dbExtension.fixtures.createOrtRun(repositoryId)
+                val definitionId = dbExtension.fixtures.createVulnerabilityResolutionDefinition(
+                    RepositoryId(repositoryId),
+                    run1.id,
+                    listOf("CVE-2021-1234"),
+                    VulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY
+                )
+
+                val run2 = dbExtension.fixtures.createOrtRun(repositoryId)
+                val advisorJobId = dbExtension.fixtures.createAdvisorJob(run2.id).id
+                dbExtension.fixtures.createAdvisorRun(advisorJobId, generateAdvisorResult())
+
+                val vulnerabilityResolution = VulnerabilityResolution(
+                    "CVE-2018-14721",
+                    "INEFFECTIVE_VULNERABILITY",
+                    "Comment."
+                )
+
+                val repositoryConfiguration =
+                    dbExtension.fixtures.createRepositoryConfiguration(run2.id, listOf(vulnerabilityResolution))
+
+                dbExtension.fixtures.resolvedConfigurationRepository.addResolutions(
+                    run2.id,
+                    repositoryConfiguration.resolutions
+                )
+
+                val response = superuserClient.get("/api/v1/runs/${run2.id}/vulnerabilities")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                val vulnerabilities = response.body<PagedResponse<VulnerabilityWithDetails>>()
+
+                vulnerabilities.data shouldHaveSize 2
+
+                with(vulnerabilities.data.first()) {
+                    vulnerability.externalId shouldBe "CVE-2018-14721"
+                    resolutions shouldHaveSize 1
+
+                    with(resolutions.first()) {
+                        definition should beNull()
+                    }
+                }
+
+                with(vulnerabilities.data.last()) {
+                    vulnerability.externalId shouldBe "CVE-2021-1234"
+                    resolutions shouldHaveSize 1
+
+                    with(resolutions.first()) {
+                        definition shouldBe VulnerabilityResolutionDefinition(
+                            id = definitionId,
+                            idMatchers = listOf("CVE-2021-1234"),
+                            reason = ApiVulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY,
+                            comment = "Comment.",
+                            archived = false,
+                            changes = emptyList()
+                        )
+                    }
+                }
+            }
+        }
+
         "require RepositoryPermission.READ_ORT_RUNS" {
             val run = ortRunRepository.create(
                 repositoryId,

dao/src/testFixtures/kotlin/Fixtures.kt

@@ -71,6 +71,12 @@ import org.eclipse.apoapsis.ortserver.model.runs.ShortestDependencyPath
 import org.eclipse.apoapsis.ortserver.model.runs.VcsInfo
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.AdvisorConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.AdvisorResult
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Curations
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Excludes
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Includes
+import org.eclipse.apoapsis.ortserver.model.runs.repository.LicenseChoices
+import org.eclipse.apoapsis.ortserver.model.runs.repository.Resolutions
+import org.eclipse.apoapsis.ortserver.model.runs.repository.VulnerabilityResolution
 
 import org.jetbrains.exposed.sql.Database
 
@@ -299,6 +305,25 @@ class Fixtures(private val db: Database) {
         results = results
     )
 
+    fun createRepositoryConfiguration(
+        runId: Long = ortRun.id,
+        vulnerabilityResolutions: List<VulnerabilityResolution> = emptyList()
+    ) = repositoryConfigurationRepository.create(
+        ortRunId = runId,
+        analyzerConfig = null,
+        excludes = Excludes(emptyList(), emptyList()),
+        includes = Includes(emptyList()),
+        resolutions = Resolutions(
+            issues = emptyList(),
+            ruleViolations = emptyList(),
+            vulnerabilities = vulnerabilityResolutions
+        ),
+        curations = Curations(emptyList(), emptyList()),
+        packageConfigurations = emptyList(),
+        licenseChoices = LicenseChoices(emptyList(), emptyList()),
+        provenanceSnippetChoices = emptyList()
+    )
+
     fun generatePackage(
         identifier: Identifier,
         authors: Set<String> = emptySet(),

model/src/commonMain/kotlin/AppliedVulnerabilityResolution.kt

@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+import org.eclipse.apoapsis.ortserver.model.runs.repository.VulnerabilityResolution
+
+/**
+ * A data class that represents a [VulnerabilityResolution] that has been applied, along with its definition if
+ * available.
+ */
+data class AppliedVulnerabilityResolution(
+    /** The applied [VulnerabilityResolution]. */
+    val resolution: VulnerabilityResolution,
+
+    /** The definition of the [VulnerabilityResolution], if available. */
+    val definition: VulnerabilityResolutionDefinition? = null
+)

model/src/commonMain/kotlin/VulnerabilityWithDetails.kt

@@ -22,7 +22,6 @@ package org.eclipse.apoapsis.ortserver.model
 import org.eclipse.apoapsis.ortserver.model.runs.Identifier
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.AdvisorDetails
 import org.eclipse.apoapsis.ortserver.model.runs.advisor.Vulnerability
-import org.eclipse.apoapsis.ortserver.model.runs.repository.VulnerabilityResolution
 
 /**
  * A data class to gather information and related data about a [Vulnerability].
@@ -34,7 +33,7 @@ data class VulnerabilityWithDetails(
     /** An advisory rating for the [Vulnerability], derived from the individual references of the [Vulnerability]. */
     val rating: VulnerabilityRating,
 
-    val resolutions: List<VulnerabilityResolution> = emptyList(),
+    val resolutions: List<AppliedVulnerabilityResolution> = emptyList(),
 
     /** Details about the used advisor. */
     val advisor: AdvisorDetails,

services/ort-run/src/main/kotlin/VulnerabilityService.kt

@@ -37,18 +37,25 @@ import org.eclipse.apoapsis.ortserver.dao.repositories.ortrun.OrtRunsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repository.RepositoriesTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.PackageCurationDataTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.PackageCurationsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsVulnerabilityResolutionsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.VulnerabilityResolutionsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.ResolvedConfigurationsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.ResolvedPackageCurationProvidersTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.ResolvedPackageCurationsTable
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable.toVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifierDao
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifiersTable
 import org.eclipse.apoapsis.ortserver.dao.utils.applyILike
+import org.eclipse.apoapsis.ortserver.model.AppliedVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.model.CountByCategory
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityFilters
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityForRunsFilters
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityRating
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityWithAccumulatedData
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityWithDetails
+import org.eclipse.apoapsis.ortserver.model.runs.repository.VulnerabilityResolution as ModelVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.model.util.ComparisonOperator
 import org.eclipse.apoapsis.ortserver.model.util.ListQueryParameters
 import org.eclipse.apoapsis.ortserver.model.util.ListQueryResult
@@ -85,7 +92,7 @@ import org.ossreviewtoolkit.model.utils.toPurl
  * A service to interact with vulnerabilities.
  */
 class VulnerabilityService(private val db: Database, private val ortRunService: OrtRunService) {
-    fun listForOrtRunId(
+    suspend fun listForOrtRunId(
         ortRunId: Long,
         parameters: ListQueryParameters = ListQueryParameters.DEFAULT,
         vulnerabilityFilters: VulnerabilityFilters = VulnerabilityFilters()
@@ -159,11 +166,43 @@ class VulnerabilityService(private val db: Database, private val ortRunService:
             .drop(parameters.offset?.toInt() ?: 0)
             .take(parameters.limit ?: ListQueryParameters.DEFAULT_LIMIT)
 
+        val vulnerabilityResolutionDefinitions = db.dbQuery {
+            RepositoryConfigurationsVulnerabilityResolutionsTable
+                .innerJoin(VulnerabilityResolutionsTable)
+                .innerJoin(RepositoryConfigurationsTable)
+                .innerJoin(VulnerabilityResolutionDefinitionsTable)
+                .select(
+                    VulnerabilityResolutionsTable.columns + VulnerabilityResolutionDefinitionsTable.columns
+                )
+                .where { RepositoryConfigurationsTable.ortRunId eq ortRunId }
+                .map { row ->
+                    row.toVulnerabilityResolutionDefinition() to ModelVulnerabilityResolution(
+                        row[VulnerabilityResolutionsTable.externalId],
+                        row[VulnerabilityResolutionsTable.reason],
+                        row[VulnerabilityResolutionsTable.comment]
+                    )
+                }
+        }
+
         val vulnerabilitiesWithResolutions = limitedVulnerabilities.map { vulnerabilityWithDetails ->
             val matchingResolutions = resolutions.filter {
                 it.matches(vulnerabilityWithDetails.vulnerability.mapToOrt())
             }
-            vulnerabilityWithDetails.copy(resolutions = matchingResolutions.map { it.mapToModel() })
+            vulnerabilityWithDetails.copy(
+                resolutions = matchingResolutions.map {
+                    val resolution = it.mapToModel()
+
+                    val definition = vulnerabilityResolutionDefinitions
+                        .firstOrNull { (_, value) ->
+                            resolution == value
+                        }?.first
+
+                    AppliedVulnerabilityResolution(
+                        resolution,
+                        definition
+                    )
+                }
+            )
         }
 
         return ListQueryResult(