feat(dao): Inject vulnerability resolutions to repository configuration

Inject vulnerability resolutions that have been made for the repository on
the server into the repository configuration.

Also save the connection between the vulnerability resolution definition
and the repository configuration in order to be able to connect the
applied resolution to the definition in a later phase when returning
vulnerabilities for a run.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

dao/src/main/kotlin/repositories/repositoryconfiguration/DaoRepositoryConfigurationRepository.kt

@@ -23,6 +23,7 @@ import org.eclipse.apoapsis.ortserver.dao.blockingQuery
 import org.eclipse.apoapsis.ortserver.dao.entityQuery
 import org.eclipse.apoapsis.ortserver.dao.mapAndDeduplicate
 import org.eclipse.apoapsis.ortserver.dao.repositories.ortrun.OrtRunDao
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifierDao
 import org.eclipse.apoapsis.ortserver.model.repositories.RepositoryConfigurationRepository
 import org.eclipse.apoapsis.ortserver.model.runs.repository.Curations
@@ -36,8 +37,12 @@ import org.eclipse.apoapsis.ortserver.model.runs.repository.ProvenanceSnippetCho
 import org.eclipse.apoapsis.ortserver.model.runs.repository.RepositoryAnalyzerConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.repository.RepositoryConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.repository.Resolutions
+import org.eclipse.apoapsis.ortserver.model.runs.repository.VulnerabilityResolution
 
 import org.jetbrains.exposed.sql.Database
+import org.jetbrains.exposed.sql.SizedCollection
+import org.jetbrains.exposed.sql.SizedIterable
+import org.jetbrains.exposed.sql.and
 
 /**
  * An implementation of [RepositoryConfigurationRepository] that stores repository configurations in
@@ -55,7 +60,38 @@ class DaoRepositoryConfigurationRepository(private val db: Database) : Repositor
         licenseChoices: LicenseChoices,
         provenanceSnippetChoices: List<ProvenanceSnippetChoices>
     ): RepositoryConfiguration = db.blockingQuery {
-        RepositoryConfigurationDao.new {
+        val ortRun = OrtRunDao[ortRunId].mapToModel()
+        val vulnerabilityResolutions = mapAndDeduplicate(
+            resolutions.vulnerabilities,
+            VulnerabilityResolutionDao::getOrPut
+        )
+
+        val idToVulnerabilityResolutionDaos = VulnerabilityResolutionDefinitionsTable
+            .select(VulnerabilityResolutionDefinitionsTable.columns)
+            .where {
+                (VulnerabilityResolutionDefinitionsTable.repositoryId eq ortRun.repositoryId) and
+                        (VulnerabilityResolutionDefinitionsTable.archived eq false)
+            }
+            .associateBy({ row -> row[VulnerabilityResolutionDefinitionsTable.id].value }, { row ->
+                row[VulnerabilityResolutionDefinitionsTable.idMatchers].map { idMatcher ->
+                    VulnerabilityResolutionDao.getOrPut(
+                        VulnerabilityResolution(
+                            idMatcher,
+                            row[VulnerabilityResolutionDefinitionsTable.reason],
+                            row[VulnerabilityResolutionDefinitionsTable.comment]
+                        )
+                    )
+                }
+            })
+
+        val combinedVulnerabilityResolutions: SizedIterable<VulnerabilityResolutionDao> = SizedCollection(
+            buildList {
+                addAll(vulnerabilityResolutions.toList())
+                addAll(idToVulnerabilityResolutionDaos.values.flatten())
+            }.distinctBy { it.id.value }
+        )
+
+        val repositoryConfiguration = RepositoryConfigurationDao.new {
             this.ortRun = OrtRunDao[ortRunId]
             this.repositoryAnalyzerConfiguration = analyzerConfig?.let {
                 RepositoryAnalyzerConfigurationDao.getOrPut(it)
@@ -66,8 +102,7 @@ class DaoRepositoryConfigurationRepository(private val db: Database) : Repositor
             this.issueResolutions = mapAndDeduplicate(resolutions.issues, IssueResolutionDao::getOrPut)
             this.ruleViolationResolutions =
                 mapAndDeduplicate(resolutions.ruleViolations, RuleViolationResolutionDao::getOrPut)
-            this.vulnerabilityResolutions =
-                mapAndDeduplicate(resolutions.vulnerabilities, VulnerabilityResolutionDao::getOrPut)
+            this.vulnerabilityResolutions = combinedVulnerabilityResolutions
             this.curations = mapAndDeduplicate(curations.packages, ::createPackageCuration)
             this.licenseFindingCurations =
                 mapAndDeduplicate(curations.licenseFindings, LicenseFindingCurationDao::getOrPut)
@@ -78,6 +113,19 @@ class DaoRepositoryConfigurationRepository(private val db: Database) : Repositor
                 mapAndDeduplicate(licenseChoices.packageLicenseChoices, ::createPackageLicenseChoice)
             this.provenanceSnippetChoices = mapAndDeduplicate(provenanceSnippetChoices, SnippetChoicesDao::getOrPut)
         }.mapToModel()
+
+        idToVulnerabilityResolutionDaos.forEach {
+                (vulnerabilityResolutionDefinitionId, vulnerabilityResolutionDaoList) ->
+            vulnerabilityResolutionDaoList.forEach {
+                RepositoryConfigurationsVulnerabilityResolutionsTable.addDefinitionId(
+                    repositoryConfiguration.id,
+                    it.id.value,
+                    vulnerabilityResolutionDefinitionId
+                )
+            }
+        }
+
+        repositoryConfiguration
     }
 
     override fun get(id: Long): RepositoryConfiguration? = db.entityQuery {

dao/src/main/kotlin/repositories/repositoryconfiguration/RepositoryConfigurationsVulnerabilityResolutionsTable.kt

@@ -19,7 +19,11 @@
 
 package org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration
 
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
+
 import org.jetbrains.exposed.sql.Table
+import org.jetbrains.exposed.sql.and
+import org.jetbrains.exposed.sql.update
 
 /**
  * An intermediate table to store references from [RepositoryConfigurationsTable] and [VulnerabilityResolutionsTable].
@@ -28,7 +32,19 @@ object RepositoryConfigurationsVulnerabilityResolutionsTable :
     Table("repository_configurations_vulnerability_resolutions") {
     val repositoryConfigurationId = reference("repository_configuration_id", RepositoryConfigurationsTable)
     val vulnerabilityResolutionId = reference("vulnerability_resolution_id", VulnerabilityResolutionsTable)
+    val vulnerabilityResolutionDefinitionId = reference(
+        "vulnerability_resolution_definition_id",
+        VulnerabilityResolutionDefinitionsTable
+    ).nullable()
 
     override val primaryKey: PrimaryKey
         get() = PrimaryKey(repositoryConfigurationId, vulnerabilityResolutionId, name = "${tableName}_pkey")
+
+    fun addDefinitionId(repositoryConfigId: Long, vulnerabilityResId: Long, vulnerabilityResolutionDefId: Long) =
+        update({
+            (repositoryConfigurationId eq repositoryConfigId) and
+                    (vulnerabilityResolutionId eq vulnerabilityResId)
+        }) { stmt ->
+            stmt[vulnerabilityResolutionDefinitionId] = vulnerabilityResolutionDefId
+        }
 }

dao/src/main/resources/db/migration/V123__addVulnerabilityResolutionDefinitionIdToRepositoryConfigurationsVulnerabilityResolutionsTable.sql

@@ -0,0 +1,3 @@
+ALTER TABLE repository_configurations_vulnerability_resolutions
+    ADD COLUMN vulnerability_resolution_definition_id bigint
+    REFERENCES vulnerability_resolution_definitions NULL;

dao/src/test/kotlin/repositories/repositoryconfiguration/DaoRepositoryConfigurationRepositoryTest.kt

@@ -21,14 +21,18 @@ package org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration
 
 import io.kotest.core.spec.style.WordSpec
 import io.kotest.matchers.collections.containExactly
+import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
+import io.kotest.matchers.collections.shouldHaveSize
 import io.kotest.matchers.nulls.shouldBeNull
 import io.kotest.matchers.nulls.shouldNotBeNull
 import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
 
 import org.eclipse.apoapsis.ortserver.dao.test.DatabaseTestExtension
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.model.runs.Identifier
 import org.eclipse.apoapsis.ortserver.model.runs.PackageManagerConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.RemoteArtifact
@@ -141,6 +145,62 @@ class DaoRepositoryConfigurationRepositoryTest : WordSpec({
                 includes.paths should containExactly(pathInclude)
             }
         }
+
+        "inject vulnerability resolutions that have been defined for the repository" {
+            fixtures.createVulnerabilityResolutionDefinition(
+                idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY
+            )
+
+            val ortRun2Id = fixtures.createOrtRun().id
+
+            val createdRepositoryConfiguration = repositoryConfigurationRepository.create(
+                ortRun2Id, repositoryConfig
+            )
+
+            val dbEntry = repositoryConfigurationRepository.get(createdRepositoryConfiguration.id)
+
+            dbEntry shouldNotBeNull {
+                resolutions.vulnerabilities shouldHaveSize 3
+                resolutions.vulnerabilities shouldContainExactlyInAnyOrder listOf(
+                    vulnerabilityResolution,
+                    VulnerabilityResolution(
+                        "CVE-2020-15250",
+                        VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY.name,
+                        "Comment."
+                    ),
+                    VulnerabilityResolution(
+                        "GHSA-269g-pwp5-87pp",
+                        VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY.name,
+                        "Comment."
+                    )
+                )
+            }
+        }
+
+        "not inject vulnerability resolutions made for other repositories" {
+            fixtures.createVulnerabilityResolutionDefinition(
+                RepositoryId(fixtures.ortRun.repositoryId),
+                ortRunId,
+                listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "comment"
+            )
+
+            val repo2Id = fixtures.createRepository(url = "https://example.com/repo2.git").id
+            val run2Id = fixtures.createOrtRun(repo2Id).id
+
+            val createdRepositoryConfiguration = repositoryConfigurationRepository.create(
+                run2Id, repositoryConfig
+            )
+
+            val dbEntry = repositoryConfigurationRepository.get(createdRepositoryConfiguration.id)
+
+            dbEntry shouldNotBeNull {
+                resolutions.vulnerabilities shouldHaveSize 1
+                resolutions.vulnerabilities.first() shouldBe vulnerabilityResolution
+            }
+        }
     }
 
     "get" should {

dao/src/testFixtures/kotlin/Fixtures.kt

@@ -22,6 +22,7 @@ package org.eclipse.apoapsis.ortserver.dao.test
 import kotlinx.datetime.Clock
 
 import org.eclipse.apoapsis.ortserver.dao.blockingQuery
+import org.eclipse.apoapsis.ortserver.dao.dbQuery
 import org.eclipse.apoapsis.ortserver.dao.repositories.advisorjob.DaoAdvisorJobRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.advisorrun.DaoAdvisorRunRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.analyzerjob.DaoAnalyzerJobRepository
@@ -41,6 +42,7 @@ import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.Dao
 import org.eclipse.apoapsis.ortserver.dao.repositories.scannerjob.DaoScannerJobRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.scannerrun.DaoScannerRunRepository
 import org.eclipse.apoapsis.ortserver.dao.repositories.secret.DaoSecretRepository
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifierDao
 import org.eclipse.apoapsis.ortserver.model.AdvisorJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.AnalyzerJobConfiguration
@@ -50,9 +52,11 @@ import org.eclipse.apoapsis.ortserver.model.Jobs
 import org.eclipse.apoapsis.ortserver.model.NotifierJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.PluginConfig
 import org.eclipse.apoapsis.ortserver.model.ReporterJobConfiguration
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.ScannerJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.Severity
+import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.model.runs.AnalyzerConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.DependencyGraph
 import org.eclipse.apoapsis.ortserver.model.runs.Environment
@@ -74,6 +78,7 @@ import org.jetbrains.exposed.sql.Database
  * A helper class to manage test fixtures. It provides default instances as well as helper functions to create custom
  * instances.
  */
+@Suppress("TooManyFunctions")
 class Fixtures(private val db: Database) {
     val advisorJobRepository = DaoAdvisorJobRepository(db)
     val advisorRunRepository = DaoAdvisorRunRepository(db)
@@ -343,4 +348,20 @@ class Fixtures(private val db: Database) {
         isMetadataOnly = false,
         isModified = false
     )
+
+    suspend fun createVulnerabilityResolutionDefinition(
+        hierarchyId: RepositoryId = RepositoryId(repository.id),
+        contextRunId: Long = ortRun.id,
+        idMatchers: List<String>,
+        reason: VulnerabilityResolutionReason,
+        comment: String = "Comment."
+    ) = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable.insert(
+            hierarchyId,
+            contextRunId,
+            idMatchers,
+            reason,
+            comment
+        )
+    }
 }