feat: Return new matching vulnerability resolution definitions

lamppu · lamppu · commit 62cf24949231 · 2025-11-04T11:20:36.000+02:00
If there have been new vulnerability resolution definitions made on the server since the run, add the matching definitions to the vulnerabilities response, so that it can be reflected on the UI that with a new run, the particular vulnerability would be resolved. Relates to #1009. Signed-off-by: Johanna Lamppu <johanna.lamppu@doubleopen.org>
diff --git a/api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt b/api/v1/mapping/src/commonMain/kotlin/ApiMappings.kt
@@ -612,6 +612,7 @@ fun VulnerabilityWithDetails.mapToApi() =
         identifier = identifier.mapToApi(),
         rating = rating.mapToApi(),
         resolutions = resolutions.map { it.mapToApi() },
+        newMatchingResolutionDefinitions = newMatchingResolutionDefinitions.map { it.mapToApi() },
         advisor = advisor.mapToApi(),
         purl = purl
     )
diff --git a/api/v1/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt b/api/v1/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt
@@ -21,6 +21,8 @@ package org.eclipse.apoapsis.ortserver.api.v1.model
 
 import kotlinx.serialization.Serializable
 
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+
 /**
  * A data class to gather information and related data about a [Vulnerability].
  */
@@ -34,6 +36,9 @@ data class VulnerabilityWithDetails(
 
     val resolutions: List<VulnerabilityResolution> = emptyList(),
 
+    /** The resolution definitions that match this vulnerability but were not yet available during the run. */
+    val newMatchingResolutionDefinitions: List<VulnerabilityResolutionDefinition> = emptyList(),
+
     /** Details of the used advisor. */
     val advisor: AdvisorDetails,
 
diff --git a/core/src/test/kotlin/api/RunsRouteIntegrationTest.kt b/core/src/test/kotlin/api/RunsRouteIntegrationTest.kt
@@ -26,6 +26,7 @@ import io.kotest.assertions.ktor.client.haveHeader
 import io.kotest.assertions.ktor.client.shouldHaveStatus
 import io.kotest.engine.spec.tempdir
 import io.kotest.inspectors.forAll
+import io.kotest.matchers.collections.shouldBeEmpty
 import io.kotest.matchers.collections.shouldBeSingleton
 import io.kotest.matchers.collections.shouldContainExactlyInAnyOrder
 import io.kotest.matchers.collections.shouldHaveSize
@@ -875,6 +876,49 @@ class RunsRouteIntegrationTest : AbstractIntegrationTest({
             }
         }
 
+        "return new matching definitions that have been created after the run" {
+            integrationTestApplication {
+                val run = dbExtension.fixtures.createOrtRun(repositoryId)
+                val advisorJobId = dbExtension.fixtures.createAdvisorJob(run.id).id
+                dbExtension.fixtures.createAdvisorRun(advisorJobId, generateAdvisorResult())
+
+                val definitionId = dbExtension.fixtures.createVulnerabilityResolutionDefinition(
+                    RepositoryId(repositoryId),
+                    run.id,
+                    listOf("CVE-2021-1234"),
+                    VulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY
+                )
+
+                val response = superuserClient.get("/api/v1/runs/${run.id}/vulnerabilities")
+
+                response shouldHaveStatus HttpStatusCode.OK
+                val vulnerabilities = response.body<PagedResponse<VulnerabilityWithDetails>>()
+
+                vulnerabilities.data shouldHaveSize 2
+
+                with(vulnerabilities.data.first()) {
+                    vulnerability.externalId shouldBe "CVE-2018-14721"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions.shouldBeEmpty()
+                }
+
+                with(vulnerabilities.data.last()) {
+                    vulnerability.externalId shouldBe "CVE-2021-1234"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        idMatchers = listOf("CVE-2021-1234"),
+                        reason = ApiVulnerabilityResolutionReason.INVALID_MATCH_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+            }
+        }
+
         "require RepositoryPermission.READ_ORT_RUNS" {
             val run = ortRunRepository.create(
                 repositoryId,
diff --git a/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt b/model/src/commonMain/kotlin/VulnerabilityWithDetails.kt
@@ -35,6 +35,9 @@ data class VulnerabilityWithDetails(
 
     val resolutions: List<AppliedVulnerabilityResolution> = emptyList(),
 
+    /** The resolution definitions that match this vulnerability but were not yet available during the run. */
+    val newMatchingResolutionDefinitions: List<VulnerabilityResolutionDefinition> = emptyList(),
+
     /** Details about the used advisor. */
     val advisor: AdvisorDetails,
 
diff --git a/services/ort-run/src/main/kotlin/VulnerabilityService.kt b/services/ort-run/src/main/kotlin/VulnerabilityService.kt
@@ -86,6 +86,7 @@ import org.jetbrains.exposed.sql.stringLiteral
 import org.jetbrains.exposed.sql.wrapAsExpression
 
 import org.ossreviewtoolkit.model.config.VulnerabilityResolution
+import org.ossreviewtoolkit.model.config.VulnerabilityResolutionReason
 import org.ossreviewtoolkit.model.utils.toPurl
 
 /**
@@ -184,7 +185,27 @@ class VulnerabilityService(private val db: Database, private val ortRunService:
                 }
         }
 
+        val newVulnerabilityResolutionDefinitions = db.dbQuery {
+            VulnerabilityResolutionDefinitionsTable
+                .select(VulnerabilityResolutionDefinitionsTable.columns)
+                .where {
+                    (VulnerabilityResolutionDefinitionsTable.repositoryId eq ortRun.repositoryId) and
+                            (VulnerabilityResolutionDefinitionsTable.contextRunId greaterEq ortRun.id) and
+                            (VulnerabilityResolutionDefinitionsTable.archived eq false)
+                }
+                .map { row -> row.toVulnerabilityResolutionDefinition() }
+        }
+
         val vulnerabilitiesWithResolutions = limitedVulnerabilities.map { vulnerabilityWithDetails ->
+            val matchingNewDefinitions = newVulnerabilityResolutionDefinitions.filter { definition ->
+                definition.idMatchers.any { idMatcher ->
+                    VulnerabilityResolution(
+                        idMatcher,
+                        VulnerabilityResolutionReason.valueOf(definition.reason.name),
+                        definition.comment
+                    ).matches(vulnerabilityWithDetails.vulnerability.mapToOrt())
+                }
+            }
             val matchingResolutions = resolutions.filter {
                 it.matches(vulnerabilityWithDetails.vulnerability.mapToOrt())
             }
@@ -201,7 +222,8 @@ class VulnerabilityService(private val db: Database, private val ortRunService:
                         resolution,
                         definition
                     )
-                }
+                },
+                newMatchingResolutionDefinitions = matchingNewDefinitions
             )
         }
 
diff --git a/services/ort-run/src/test/kotlin/VulnerabilityServiceTest.kt b/services/ort-run/src/test/kotlin/VulnerabilityServiceTest.kt
@@ -689,6 +689,81 @@ class VulnerabilityServiceTest : WordSpec() {
                     }
                 }
             }
+
+            "return new matching definitions that have been created after the run" {
+                val run = fixtures.createOrtRun()
+                val advisorJobId = fixtures.createAdvisorJob(run.id).id
+
+                val vulnerabilities = createVulnerabilities(
+                    Triple(
+                        Identifier("Maven", "org.apache.logging.log4j", "log4j-core", "2.14.0"),
+                        listOf("CVE-2021-45046"),
+                        listOf(10.0)
+                    ),
+                    Triple(
+                        Identifier("Maven", "com.fasterxml.jackson.core", "jackson-databind", "2.9.6"),
+                        listOf("CVE-2018-14721"),
+                        listOf(4.2)
+                    ),
+                    Triple(
+                        Identifier("Maven", "junit", "junit", "1.0"),
+                        listOf("CVE-2024-24521"),
+                        listOf(5.0)
+                    )
+                )
+
+                fixtures.createAdvisorRun(advisorJobId, createAdvisorResults(vulnerabilities))
+
+                val definitionId = fixtures.createVulnerabilityResolutionDefinition(
+                    contextRunId = run.id,
+                    idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                    reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY
+                )
+
+                val results = service.listForOrtRunId(run.id)
+
+                results.totalCount shouldBe 3
+
+                with(results.data[0]) {
+                    vulnerability.externalId shouldBe "CVE-2018-14721"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions.shouldBeEmpty()
+                }
+
+                with(results.data[1]) {
+                    vulnerability.externalId shouldBe "CVE-2021-45046"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        hierarchyId = RepositoryId(run.repositoryId),
+                        contextRunId = run.id,
+                        idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                        reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+
+                with(results.data[2]) {
+                    vulnerability.externalId shouldBe "CVE-2024-24521"
+                    resolutions.shouldBeEmpty()
+                    newMatchingResolutionDefinitions shouldHaveSize 1
+
+                    newMatchingResolutionDefinitions.first() shouldBe VulnerabilityResolutionDefinition(
+                        id = definitionId,
+                        hierarchyId = RepositoryId(run.repositoryId),
+                        contextRunId = run.id,
+                        idMatchers = listOf("CVE-2021-45046", "CVE-2024-24521"),
+                        reason = VulnerabilityResolutionReason.WORKAROUND_FOR_VULNERABILITY,
+                        comment = "Comment.",
+                        archived = false,
+                        changes = emptyList()
+                    )
+                }
+            }
         }
 
         "countForOrtRunId" should {

Original file line number	Diff line number	Diff line change
`@@ -612,6 +612,7 @@ fun VulnerabilityWithDetails.mapToApi() =`
`612`	`612`	`identifier = identifier.mapToApi(),`
`613`	`613`	`rating = rating.mapToApi(),`
`614`	`614`	`resolutions = resolutions.map { it.mapToApi() },`
	`615`	`+ newMatchingResolutionDefinitions = newMatchingResolutionDefinitions.map { it.mapToApi() },`
`615`	`616`	`advisor = advisor.mapToApi(),`
`616`	`617`	`purl = purl`
`617`	`618`	`)`