feat: Allow to archive vulnerability resolution definitions

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt

@@ -20,6 +20,8 @@
 package org.eclipse.apoapsis.ortserver.components.resolutions
 
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsVulnerabilityResolutionsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.userDisplayName.UserDisplayNameDao
 import org.eclipse.apoapsis.ortserver.dao.tables.ChangeLogTable
 import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
@@ -29,6 +31,7 @@ import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 import org.jetbrains.exposed.sql.Database
@@ -67,4 +70,46 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
 
         VulnerabilityResolutionDefinitionsTable.get(id)
     }
+
+    suspend fun archive(id: Long, userDisplayName: UserDisplayName): VulnerabilityResolutionDefinition = db.dbQuery {
+        val user =
+            UserDisplayNameDao.insertOrUpdate(userDisplayName) ?: throw NullPointerException("No user created or found")
+
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            archivedInput = true.asPresent()
+        )
+
+        ChangeLogTable.insert(
+            ChangeEventEntityType.VULNERABILITY_RESOLUTION_DEFINITION,
+            id.toString(),
+            user.id.value,
+            ChangeEventAction.ARCHIVE
+        )
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id),
+            "Vulnerability resolution definition archived."
+        )
+
+        VulnerabilityResolutionDefinitionsTable.get(id)
+    }
+
+    suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable
+            .getOrNull(id)
+    }
+
+    private fun getAffectedRuns(
+        definitionId: Long
+    ): List<Long> {
+        return RepositoryConfigurationsVulnerabilityResolutionsTable
+            .innerJoin(RepositoryConfigurationsTable)
+            .select(RepositoryConfigurationsTable.ortRunId)
+            .where {
+                RepositoryConfigurationsVulnerabilityResolutionsTable.vulnerabilityResolutionDefinitionId eq
+                        definitionId
+            }
+            .map { it[RepositoryConfigurationsTable.ortRunId].value }
+    }
 }

components/resolutions/backend/src/routes/kotlin/Routing.kt

@@ -21,6 +21,7 @@ package org.eclipse.apoapsis.ortserver.components.resolutions
 
 import io.ktor.server.routing.Route
 
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
@@ -30,4 +31,5 @@ fun Route.resolutionsRoutes(
     vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
 ) {
     postVulnerabilityResolutionDefinition(ortRunService, vulnerabilityResolutionDefinitionService)
+    deleteVulnerabilityResolutionDefinition(vulnerabilityResolutionDefinitionService)
 }

components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/DeleteVulnerabilityResolutionDefinition.kt

@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.delete
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.deleteVulnerabilityResolutionDefinition(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = delete("/resolutions/vulnerabilities/{id}", {
+    operationId = "DeleteVulnerabilityResolutionDefinition"
+    summary = "Delete a vulnerability resolution"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition"
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Delete Vulnerability Resolution Definition") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                        comment = "Comment",
+                        archived = true,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-02T00:00:00Z"),
+                                ChangeEventAction.ARCHIVE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.NoContent to {
+            description = "The vulnerability resolution definition was already archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id)
+
+    if (definition == null) throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (definition.archived) {
+        call.respond(HttpStatusCode.NoContent)
+        return@delete
+    }
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@delete
+    }
+
+    val archivedDefinition = vulnerabilityResolutionDefinitionService.archive(id, userDisplayName).mapToApi()
+
+    call.respond(HttpStatusCode.OK, archivedDefinition)
+}

components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt

@@ -132,4 +132,65 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
             }
         }
     }
+
+    "archive" should {
+        "archive a vulnerability resolution definition" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val archivedDefinition = definitionService.archive(definitionId, userDisplayName)
+
+            with(archivedDefinition) {
+                archived shouldBe true
+                changes shouldHaveSize 2
+
+                with(changes.first()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes.last()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.ARCHIVE
+                }
+            }
+        }
+    }
+
+    "getById" should {
+        "return the vulnerability resolution definition if it exists" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definition = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            )
+
+            definitionService.getById(definition.id) shouldBe definition
+        }
+
+        "return null if the vulnerability resolution definition doesn't exist" {
+            definitionService.getById(1) shouldBe null
+        }
+    }
 })

components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt

@@ -19,6 +19,7 @@
 
 package org.eclipse.apoapsis.ortserver.components.resolutions.routes
 
+import io.ktor.client.request.delete
 import io.ktor.client.request.post
 import io.ktor.client.request.setBody
 import io.ktor.http.HttpStatusCode
@@ -30,7 +31,10 @@ import org.eclipse.apoapsis.ortserver.components.resolutions.CreateVulnerability
 import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
 import org.eclipse.apoapsis.ortserver.components.resolutions.resolutionsRoutes
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
 import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.AbstractAuthorizationTest
 
@@ -115,4 +119,33 @@ class ResolutionsAuthorizationTest : AbstractAuthorizationTest({
             }
         }
     }
+
+    "DeleteVulnerabilityResolutionDefinition" should {
+        "require role RepositoryPermission.WRITE.roleName(repositoryId)" {
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                UserDisplayName("abc", "Test"),
+                createBody.idMatchers,
+                createBody.reason.mapToModel(),
+                createBody.comment
+            ).id
+
+            requestShouldRequireRole(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                role = RepositoryPermission.WRITE.roleName(repositoryId)
+            ) {
+                delete("/resolutions/vulnerabilities/$definitionId")
+            }
+        }
+
+        "respond with 'Forbidden' when repository id cannot be resolved" {
+            requestShouldRequireAuthentication(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                successStatus = HttpStatusCode.Forbidden
+            ) {
+                delete("/resolutions/vulnerabilities/9999")
+            }
+        }
+    }
 })