feat: Return new matching vulnerability resolution definitions

lamppu · lamppu · commit 4620018dabcb · 2025-10-30T09:36:18.000+02:00
Signed-off-by: Johanna Lamppu &lt;johanna.lamppu@doubleopen.org&gt;
diff --git a/api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt b/api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt
@@ -612,6 +612,7 @@ fun VulnerabilityWithDetails.mapToApi() =
         identifier = identifier.mapToApi(),
         rating = rating.mapToApi(),
         resolutions = resolutions.map { it.mapToApi() },
+        newMatchingResolutionDefinitions = newMatchingResolutionDefinitions.map { it.mapToApi() },
         advisor = advisor.mapToApi(),
         purl = purl
     )
diff --git a/api/v1/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt b/api/v1/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt
@@ -21,6 +21,8 @@ package org.eclipse.apoapsis.ortserver.api.v1.model
 
 import kotlinx.serialization.Serializable
 
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+
 /**
  * A data class to gather information and related data about a [Vulnerability].
  */
@@ -34,6 +36,9 @@ data class VulnerabilityWithDetails(
 
     val resolutions: List<VulnerabilityResolution> = emptyList(),
 
+    /** The resolution definitions that match this vulnerability but were not yet available during the run. */
+    val newMatchingResolutionDefinitions: List<VulnerabilityResolutionDefinition> = emptyList(),
+
     /** Details of the used advisor. */
     val advisor: AdvisorDetails,
 
diff --git a/core/src/test/kotlin/api/RunsRouteIntegrationTest.kt b/core/src/test/kotlin/api/RunsRouteIntegrationTest.kt
@@ -26,6 +26,7 @@ import io.kotest.assertions.ktor.client.haveHeader
 import io.kotest.assertions.ktor.client.shouldHaveStatus
 import io.kotest.engine.spec.tempdir
 import io.kotest.inspectors.forAll
+import io.kotest.matchers.collections.shouldBeEmpty
 import io.kotest.matchers.collections.shouldBeSingleton
 import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
 import io.kotest.matchers.collections.shouldHaveSize
@@ -877,6 +878,49 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "return new matching definitions that have been created after the run" {
+            integrationTestApplication {
+                val run = dbExtension.fixtures.createOrtRun(repositoryId)
+                val advisorJobId = dbExtension.fixtures.createAdvisorJob(run.id).id
+                dbExtension.fixtures.createAdvisorRun(advisorJobId, generateAdvisorResult())
+
+                val definitionId = dbExtension.fixtures.createVulnerabilityResolutionDefinition(
+                    RepositoryId(repositoryId),
+                    run.id,
+                    listOf("CVE-2021-1234"),
+                    VulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY
+                )
+
+                val response = superuserClient.get("/api/v1/runs/${run.id}/vulnerabilities")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                val vulnerabilities = response.body<PagedResponse<VulnerabilityWithDetails>>()
+
+                vulnerabilities.data shouldHaveSize 2
+
+                with(vulnerabilities.data.first()) {
+                    vulnerability.externalId shouldBe "CVE-2018-14721"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions.shouldBeEmpty()
+                }
+
+                with(vulnerabilities.data.last()) {
+                    vulnerability.externalId shouldBe "CVE-2021-1234"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        idMatchers = listOf("CVE-2021-1234"),
+                        reason = ApiVulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+            }
+        }
+
         "require RepositoryPermission.READ_ORT_RUNS" {
             val run = ortRunRepository.create(
                 repositoryId,
diff --git a/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt b/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt
@@ -35,6 +35,9 @@ data class VulnerabilityWithDetails(
 
     val resolutions: List<AppliedVulnerabilityResolution> = emptyList(),
 
+    /** The resolution definitions that match this vulnerability but were not yet available during the run. */
+    val newMatchingResolutionDefinitions: List<VulnerabilityResolutionDefinition> = emptyList(),
+
     /** Details about the used advisor. */
     val advisor: AdvisorDetails,
 
diff --git a/services/ort-run/src/main/kotlin/VulnerabilityService.kt b/services/ort-run/src/main/kotlin/VulnerabilityService.kt
@@ -44,6 +44,7 @@ import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.Res
 import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.ResolvedPackageCurationProvidersTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.resolvedconfiguration.ResolvedPackageCurationsTable
 import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
+import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable.toVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifierDao
 import org.eclipse.apoapsis.ortserver.dao.tables.shared.IdentifiersTable
 import org.eclipse.apoapsis.ortserver.dao.utils.applyILike
@@ -85,6 +86,7 @@ import org.jetbrains.exposed.sql.stringLiteral
 import org.jetbrains.exposed.sql.wrapAsExpression
 
 import org.ossreviewtoolkit.model.config.VulnerabilityResolution
+import org.ossreviewtoolkit.model.config.VulnerabilityResolutionReason
 import org.ossreviewtoolkit.model.utils.toPurl
 
 /**
@@ -197,7 +199,27 @@ class VulnerabilityService(private val db: Database, private val ortRunService:
                 }
         }
 
+        val newVulnerabilityResolutionDefinitions = db.dbQuery {
+            VulnerabilityResolutionDefinitionsTable
+                .select(VulnerabilityResolutionDefinitionsTable.columns)
+                .where {
+                    (VulnerabilityResolutionDefinitionsTable.repositoryId eq ortRun.repositoryId) and
+                            (VulnerabilityResolutionDefinitionsTable.contextRunId greaterEq ortRun.id) and
+                            (VulnerabilityResolutionDefinitionsTable.archived eq false)
+                }
+                .map { row -> row.toVulnerabilityResolutionDefinition() }
+        }
+
         val vulnerabilitiesWithResolutions = limitedVulnerabilities.map { vulnerabilityWithDetails ->
+            val matchingNewDefinitions = newVulnerabilityResolutionDefinitions.filter { definition ->
+                definition.idMatchers.any { idMatcher ->
+                    VulnerabilityResolution(
+                        idMatcher,
+                        VulnerabilityResolutionReason.valueOf(definition.reason.name),
+                        definition.comment
+                    ).matches(vulnerabilityWithDetails.vulnerability.mapToOrt())
+                }
+            }
             val matchingResolutions = resolutions.filter {
                 it.matches(vulnerabilityWithDetails.vulnerability.mapToOrt())
             }
@@ -218,7 +240,8 @@ class VulnerabilityService(private val db: Database, private val ortRunService:
                             }
                         }
                     )
-                }
+                },
+                newMatchingResolutionDefinitions = matchingNewDefinitions
             )
         }
 
diff --git a/services/ort-run/src/test/kotlin/VulnerabilityServiceTest.kt b/services/ort-run/src/test/kotlin/VulnerabilityServiceTest.kt
@@ -688,6 +688,79 @@ class VulnerabilityServiceTest : WordSpec() {
                     }
                 }
             }
+
+            "return new matching definitions that have been created after the run" {
+                val run = fixtures.createOrtRun()
+                val advisorJobId = fixtures.createAdvisorJob(run.id).id
+
+                val vulnerabilities = createVulnerabilities(
+                    Triple(
+                        Identifier("Maven", "org.apache.logging.log4j", "log4j-core", "2.14.0"),
+                        listOf("CVE-2021-45046"),
+                        listOf(10.0)
+                    ),
+                    Triple(
+                        Identifier("Maven", "com.fasterxml.jackson.core", "jackson-databind", "2.9.6"),
+                        listOf("CVE-2018-14721"),
+                        listOf(4.2)
+                    ),
+                    Triple(
+                        Identifier("Maven", "junit", "junit", "1.0"),
+                        listOf("CVE-2024-24521"),
+                        listOf(5.0)
+                    )
+                )
+
+                fixtures.createAdvisorRun(advisorJobId, createAdvisorResults(vulnerabilities))
+
+                val definitionId = fixtures.createVulnerabilityResolutionDefinition(
+                    contextRunId = run.id,
+                    idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                    reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY
+                )
+
+                val results = service.listForOrtRunId(run.id)
+
+                results.totalCount shouldBe 3
+
+                with(results.data[0]) {
+                    vulnerability.externalId shouldBe "CVE-2018-14721"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions.shouldBeEmpty()
+                }
+
+                with(results.data[1]) {
+                    vulnerability.externalId shouldBe "CVE-2021-45046"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        hierarchyId = RepositoryId(run.repositoryId),
+                        idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                        reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+
+                with(results.data[2]) {
+                    vulnerability.externalId shouldBe "CVE-2024-24521"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        hierarchyId = RepositoryId(run.repositoryId),
+                        idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                        reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+            }
         }
 
         "countForOrtRunId" should {

Original file line number	Diff line number	Diff line change
`@@ -612,6 +612,7 @@ fun VulnerabilityWithDetails.mapToApi() =`
`612`	`612`	`identifier = identifier.mapToApi(),`
`613`	`613`	`rating = rating.mapToApi(),`
`614`	`614`	`resolutions = resolutions.map { it.mapToApi() },`
	`615`	`+ newMatchingResolutionDefinitions = newMatchingResolutionDefinitions.map { it.mapToApi() },`
`615`	`616`	`advisor = advisor.mapToApi(),`
`616`	`617`	`purl = purl`
`617`	`618`	`)`