feat: Allow to update vulnerability resolutions

Updating a vulnerability resolution will update the definition, and the
new updated values will be used when injecting the resolution on new runs.
Old runs where the resolution was injected to previously will still retain
the information of what the resolution was when the run was made.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

components/resolutions/api-model/src/commonMain/kotlin/PatchVulnerabilityResolution.kt

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions
+
+import kotlinx.serialization.Serializable
+
+import org.eclipse.apoapsis.ortserver.shared.apimodel.OptionalValue
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+
+/**
+ * The request object for updating a vulnerability resolution.
+ */
+@Serializable
+data class PatchVulnerabilityResolution(
+    /**
+     * The list of vulnerability ID matchers (regular expressions) to match the ids of the vulnerabilities to resolve.
+     */
+    val idMatchers: OptionalValue<List<String>> = OptionalValue.Absent,
+
+    /** The reason why the vulnerability is resolved. */
+    val reason: OptionalValue<VulnerabilityResolutionReason> = OptionalValue.Absent,
+
+    /** A comment to further explain why the [reason] is applicable here. */
+    val comment: OptionalValue<String> = OptionalValue.Absent
+)

components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt

@@ -31,6 +31,7 @@ import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.OptionalValue
 import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
@@ -99,6 +100,32 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
         definition
     }
 
+    suspend fun update(
+        id: Long,
+        userDisplayName: UserDisplayName,
+        idMatchers: OptionalValue<List<String>> = OptionalValue.Absent,
+        reason: OptionalValue<VulnerabilityResolutionReason> = OptionalValue.Absent,
+        comment: OptionalValue<String> = OptionalValue.Absent
+    ): VulnerabilityResolutionDefinition = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            idMatchers,
+            reason,
+            comment
+        )
+
+        addChangeLogEvent(id, ChangeEventAction.UPDATE, userDisplayName)
+
+        val definition = VulnerabilityResolutionDefinitionsTable.get(id)
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id) + definition.contextRunId,
+            "Vulnerability resolution definition updated."
+        )
+
+        definition
+    }
+
     suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
         VulnerabilityResolutionDefinitionsTable
             .getOrNull(id)

components/resolutions/backend/src/routes/kotlin/Routing.kt

@@ -22,6 +22,7 @@ package org.eclipse.apoapsis.ortserver.components.resolutions
 import io.ktor.server.routing.Route
 
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolution
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.patchVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.restoreVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
@@ -34,4 +35,5 @@ fun Route.resolutionsRoutes(
     postVulnerabilityResolution(ortRunService, vulnerabilityResolutionDefinitionService)
     deleteVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
     restoreVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
+    patchVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
 }

components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/PatchVulnerabilityResolution.kt

@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.patch
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.request.receive
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.PatchVulnerabilityResolution
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.apimodel.asPresent
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.patchVulnerabilityResolution(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = patch("/resolutions/vulnerabilities/{id}", {
+    operationId = "patchVulnerabilityResolution"
+    summary = "Update a vulnerability resolution"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition"
+        }
+
+        jsonBody<PatchVulnerabilityResolution> {
+            description = "Set the values that should be updated."
+            example("Update Vulnerability Resolution") {
+                value = PatchVulnerabilityResolution(
+                    idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp").asPresent(),
+                    reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY.asPresent(),
+                    comment = "Updated comment.".asPresent()
+                )
+            }
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Update Vulnerability Resolution") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                        comment = "Updated comment.",
+                        archived = false,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                action = ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-02T00:00:00Z"),
+                                action = ChangeEventAction.UPDATE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.BadRequest to {
+            description = "The requested vulnerability resolution is archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id) ?: throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (definition.archived) {
+        call.respondError(HttpStatusCode.Conflict, "The requested vulnerability resolution is archived.")
+        return@patch
+    }
+
+    val updateResolution = call.receive<PatchVulnerabilityResolution>()
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@patch
+    }
+
+    val updatedDefinition = vulnerabilityResolutionDefinitionService.update(
+        id,
+        userDisplayName,
+        updateResolution.idMatchers.mapToModel(),
+        updateResolution.reason.mapToModel { it.mapToModel() },
+        updateResolution.comment.mapToModel()
+    ).mapToApi()
+
+    call.respond(HttpStatusCode.OK, updatedDefinition)
+}

components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt

@@ -33,6 +33,7 @@ import org.eclipse.apoapsis.ortserver.model.ChangeEventAction
 import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 import org.jetbrains.exposed.sql.Database
@@ -296,6 +297,92 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
         }
     }
 
+    "update" should {
+        "update a vulnerability resolution definition and add an event in the change log" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val updatedDefinition = definitionService.update(
+                definitionId,
+                userDisplayName,
+                listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp").asPresent(),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY.asPresent(),
+                "Updated comment.".asPresent()
+            )
+
+            with(updatedDefinition) {
+                idMatchers shouldBe listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp")
+                reason shouldBe VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY
+                comment shouldBe "Updated comment."
+                archived shouldBe false
+                changes shouldHaveSize 2
+
+                with(changes.first()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes.last()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.UPDATE
+                }
+            }
+        }
+
+        "mark the affected runs as outdated" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val run2Id = fixtures.createOrtRun().id
+
+            val repositoryConfiguration = fixtures.createRepositoryConfiguration(run2Id)
+            fixtures.resolvedConfigurationRepository.addResolutions(run2Id, repositoryConfiguration.resolutions)
+
+            val run3Id = fixtures.createOrtRun().id
+
+            definitionService.update(definitionId, userDisplayName, comment = "Updated comment.".asPresent())
+
+            ortRunService.getOrtRun(runId).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition updated."
+            }
+
+            ortRunService.getOrtRun(run2Id).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition updated."
+            }
+
+            ortRunService.getOrtRun(run3Id).shouldNotBeNull {
+                outdated shouldBe false
+                outdatedMessage.shouldBeNull()
+            }
+        }
+    }
+
     "getById" should {
         "return the vulnerability resolution definition if it exists" {
             val userDisplayName = UserDisplayName(