fix(dao): Use upsert for resolved items junction tables

When the Evaluator stores resolved issues, the same issue message can be
reported for multiple packages at different timestamps. ORT's Issue
includes `timestamp` in its equals, so these survive as separate map keys
in `resolveResolutionsWithMappings()`.

However, `findOrtRunIssueId()` matches only on `source`, `message`, 
`severity`, and `affectedPath` — not `timestamp` — so both map to the same 
database row. When both match the same resolution, the second insert of the
identical `(ortRunId, ortRunIssueId, issueResolutionId)` tuple violates the
unique constraint.

Fix by changing `insert` to `upsert` for `ResolvedIssuesTable`,
`ResolvedRuleViolationsTable`, and `ResolvedVulnerabilitiesTable`, matching
the pattern already used for the `ResolvedConfigurations*` tables.

Resolves #4461.

Signed-off-by: Jyrki Keisala <jyrki.keisala@doubleopen.org>

Author: Etsija

dao/src/main/kotlin/repositories/resolvedconfiguration/DaoResolvedConfigurationRepository.kt

@@ -130,7 +130,11 @@ class DaoResolvedConfigurationRepository(private val db: Database) : ResolvedCon
 
                 // Store resolved item mapping if the issue was found in the run
                 if (ortRunIssueId != null) {
-                    ResolvedIssuesTable.insert {
+                    ResolvedIssuesTable.upsert(
+                        ResolvedIssuesTable.ortRunId,
+                        ResolvedIssuesTable.ortRunIssueId,
+                        ResolvedIssuesTable.issueResolutionId
+                    ) {
                         it[ResolvedIssuesTable.ortRunId] = ortRunId
                         it[ResolvedIssuesTable.ortRunIssueId] = ortRunIssueId
                         it[issueResolutionId] = issueResolutionDao.id.value
@@ -156,7 +160,11 @@ class DaoResolvedConfigurationRepository(private val db: Database) : ResolvedCon
 
                 // Store resolved item mapping if the rule violation was found
                 if (ruleViolationId != null) {
-                    ResolvedRuleViolationsTable.insert {
+                    ResolvedRuleViolationsTable.upsert(
+                        ResolvedRuleViolationsTable.ortRunId,
+                        ResolvedRuleViolationsTable.ruleViolationId,
+                        ResolvedRuleViolationsTable.ruleViolationResolutionId
+                    ) {
                         it[ResolvedRuleViolationsTable.ortRunId] = ortRunId
                         it[ResolvedRuleViolationsTable.ruleViolationId] = ruleViolationId
                         it[ruleViolationResolutionId] = ruleViolationResolutionDao.id.value
@@ -182,7 +190,12 @@ class DaoResolvedConfigurationRepository(private val db: Database) : ResolvedCon
 
                 // Store resolved item mappings for each vulnerability-identifier pair
                 vulnerabilityIdentifierPairs.forEach { (vulnId, identifierId) ->
-                    ResolvedVulnerabilitiesTable.insert {
+                    ResolvedVulnerabilitiesTable.upsert(
+                        ResolvedVulnerabilitiesTable.ortRunId,
+                        ResolvedVulnerabilitiesTable.vulnerabilityId,
+                        ResolvedVulnerabilitiesTable.identifierId,
+                        ResolvedVulnerabilitiesTable.vulnerabilityResolutionId
+                    ) {
                         it[ResolvedVulnerabilitiesTable.ortRunId] = ortRunId
                         it[vulnerabilityId] = vulnId
                         it[ResolvedVulnerabilitiesTable.identifierId] = identifierId

dao/src/test/kotlin/repositories/resolvedconfiguration/DaoResolvedConfigurationRepositoryTest.kt

@@ -364,6 +364,41 @@ class DaoResolvedConfigurationRepositoryTest : WordSpec({
             storedResolvedIssues.size shouldBe 0
         }
 
+        "handle duplicate addResolutions calls without constraint violation" {
+            // This simulates both the evaluator and reporter calling storeResolvedItems()
+            // for the same ORT run with overlapping data.
+            val issue = Issue(
+                timestamp = Clock.System.now(),
+                source = "Analyzer",
+                message = "Duplicate test issue",
+                severity = Severity.WARNING
+            )
+            fixtures.createAnalyzerRun(
+                analyzerJobId = fixtures.analyzerJob.id,
+                issues = listOf(issue)
+            )
+
+            val resolvedItems = ResolvedItemsResult(
+                issues = mapOf(issue to listOf(issueResolution1)),
+                ruleViolations = emptyMap(),
+                vulnerabilities = emptyMap()
+            )
+
+            // First call (e.g. evaluator)
+            resolvedConfigurationRepository.addResolutions(ortRunId, resolvedItems)
+
+            // Second call with the same data (e.g. reporter) should not throw
+            resolvedConfigurationRepository.addResolutions(ortRunId, resolvedItems)
+
+            // Verify only one mapping was stored (upsert, not duplicate)
+            val storedResolvedIssues = dbExtension.db.dbQuery {
+                ResolvedIssuesTable.selectAll()
+                    .where { ResolvedIssuesTable.ortRunId eq ortRunId }
+                    .toList()
+            }
+            storedResolvedIssues.size shouldBe 1
+        }
+
         "handle same resolution matching multiple issues without constraint violation" {
             // Create two issues in the database
             val issue1 = Issue(