feat: Allow to update vulnerability resolution definitions

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

components/resolutions/api-model/src/commonMain/kotlin/UpdateVulnerabilityResolutionDefinition.kt

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions
+
+import kotlinx.serialization.Serializable
+
+import org.eclipse.apoapsis.ortserver.shared.apimodel.OptionalValue
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+
+/**
+ * The request object for updating a vulnerability resolution definition.
+ */
+@Serializable
+data class UpdateVulnerabilityResolutionDefinition(
+    /**
+     * The list of vulnerability ID matchers (regular expressions) to match the ids of the vulnerabilities to resolve.
+     */
+    val idMatchers: OptionalValue<List<String>> = OptionalValue.Absent,
+
+    /** The reason why the vulnerability is resolved. */
+    val reason: OptionalValue<VulnerabilityResolutionReason> = OptionalValue.Absent,
+
+    /** A comment to further explain why the [reason] is applicable here. */
+    val comment: OptionalValue<String> = OptionalValue.Absent
+)

components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt

@@ -31,6 +31,7 @@ import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.OptionalValue
 import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
@@ -119,6 +120,38 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
         VulnerabilityResolutionDefinitionsTable.get(id)
     }
 
+    suspend fun update(
+        id: Long,
+        userDisplayName: UserDisplayName,
+        idMatchers: OptionalValue<List<String>>,
+        reason: OptionalValue<VulnerabilityResolutionReason>,
+        comment: OptionalValue<String>
+    ): VulnerabilityResolutionDefinition = db.dbQuery {
+        val user =
+            UserDisplayNameDao.insertOrUpdate(userDisplayName) ?: throw NullPointerException("No user created or found")
+
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            idMatchers,
+            reason,
+            comment
+        )
+
+        ChangeLogTable.insert(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            id.toString(),
+            user.id.value,
+            ChangeEventAction.UPDATE
+        )
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id),
+            "Vulnerability resolution definition updated."
+        )
+
+        VulnerabilityResolutionDefinitionsTable.get(id)
+    }
+
     suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
         VulnerabilityResolutionDefinitionsTable
             .getOrNull(id)

components/resolutions/backend/src/routes/kotlin/Routing.kt

@@ -22,6 +22,7 @@ package org.eclipse.apoapsis.ortserver.components.resolutions
 import io.ktor.server.routing.Route
 
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.patchVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.restoreVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
@@ -34,4 +35,5 @@ fun Route.resolutionsRoutes(
     postVulnerabilityResolutionDefinition(ortRunService, vulnerabilityResolutionDefinitionService)
     deleteVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
     restoreVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
+    patchVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
 }

components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/PatchVulnerabilityResolutionDefinition.kt

@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.patch
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.request.receive
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.UpdateVulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.apimodel.asPresent
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.patchVulnerabilityResolutionDefinition(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = patch("/resolutions/vulnerabilities/{id}", {
+    operationId = "PatchVulnerabilityResolutionDefinition"
+    summary = "Update a vulnerability resolution definition"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition"
+        }
+
+        jsonBody<UpdateVulnerabilityResolutionDefinition> {
+            description = "Set the values that should be updated."
+            example("Update Vulnerability Resolution Definition") {
+                value = UpdateVulnerabilityResolutionDefinition(
+                    idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp").asPresent(),
+                    reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY.asPresent(),
+                    comment = "Updated comment.".asPresent()
+                )
+            }
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Update Vulnerability Resolution Definition") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                        comment = "Updated comment.",
+                        archived = false,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                action = ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-02T00:00:00Z"),
+                                action = ChangeEventAction.UPDATE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.BadRequest to {
+            description = "The requested vulnerability resolution definition is archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id)
+
+    if (definition == null) throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (definition.archived) {
+        call.respondError(HttpStatusCode.Conflict, "The requested vulnerability resolution definition is archived.")
+        return@patch
+    }
+
+    val updateResolution = call.receive<UpdateVulnerabilityResolutionDefinition>()
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@patch
+    }
+
+    val updatedDefinition = vulnerabilityResolutionDefinitionService.update(
+        id,
+        userDisplayName,
+        updateResolution.idMatchers.mapToModel(),
+        updateResolution.reason.mapToModel { it.mapToModel() },
+        updateResolution.comment.mapToModel()
+    ).mapToApi()
+
+    call.respond(HttpStatusCode.OK, updatedDefinition)
+}

components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt

@@ -32,6 +32,7 @@ import org.eclipse.apoapsis.ortserver.model.ChangeEventAction
 import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 import org.jetbrains.exposed.sql.Database
@@ -212,6 +213,51 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
         }
     }
 
+    "update" should {
+        "update a vulnerability resolution definition and add an event in the change log" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val updatedDefinition = definitionService.update(
+                definitionId,
+                userDisplayName,
+                listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp").asPresent(),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY.asPresent(),
+                "Updated comment.".asPresent()
+            )
+
+            with(updatedDefinition) {
+                idMatchers shouldBe listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp")
+                reason shouldBe VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY
+                comment shouldBe "Updated comment."
+                archived shouldBe false
+                changes shouldHaveSize 2
+
+                with(changes.first()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes.last()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.UPDATE
+                }
+            }
+        }
+    }
+
     "getById" should {
         "return the vulnerability resolution definition if it exists" {
             val userDisplayName = UserDisplayName(

components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt

@@ -20,6 +20,7 @@
 package org.eclipse.apoapsis.ortserver.components.resolutions.routes
 
 import io.ktor.client.request.delete
+import io.ktor.client.request.patch
 import io.ktor.client.request.post
 import io.ktor.client.request.setBody
 import io.ktor.http.HttpStatusCode
@@ -28,6 +29,7 @@ import io.mockk.mockk
 
 import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.components.resolutions.CreateVulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.components.resolutions.UpdateVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
 import org.eclipse.apoapsis.ortserver.components.resolutions.resolutionsRoutes
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
@@ -36,6 +38,7 @@ import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
 import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.apimodel.asPresent
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.AbstractAuthorizationTest
 
 import org.jetbrains.exposed.sql.Database
@@ -181,4 +184,45 @@ class ResolutionsAuthorizationTest : AbstractAuthorizationTest({
             }
         }
     }
+
+    "PatchVulnerabilityResolutionDefinition" should {
+        "require role RepositoryPermission.WRITE.roleName(repositoryId)" {
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                UserDisplayName("abc", "Test"),
+                createBody.idMatchers,
+                createBody.reason.mapToModel(),
+                createBody.comment
+            ).id
+
+            requestShouldRequireRole(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                role = RepositoryPermission.WRITE.roleName(repositoryId)
+            ) {
+                patch("/resolutions/vulnerabilities/$definitionId") {
+                    setBody(
+                        UpdateVulnerabilityResolutionDefinition(
+                            comment = "Updated comment.".asPresent()
+                        )
+                    )
+                }
+            }
+        }
+
+        "respond with 'Forbidden' when repository ID cannot be resolved" {
+            requestShouldRequireAuthentication(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                successStatus = HttpStatusCode.Forbidden
+            ) {
+                patch("/resolutions/vulnerabilities/9999") {
+                    setBody(
+                        UpdateVulnerabilityResolutionDefinition(
+                            comment = "Updated comment.".asPresent()
+                        )
+                    )
+                }
+            }
+        }
+    }
 })