feat: Allow to restore vulnerability resolutions

Allow to restore a previously archived resolution. After the restoration
the resolution will again be injected to the repository configuration of
new runs.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt

@@ -81,6 +81,24 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
         definition
     }
 
+    suspend fun restore(id: Long, userDisplayName: UserDisplayName): VulnerabilityResolutionDefinition = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            archivedInput = false.asPresent()
+        )
+
+        addChangeLogEvent(id, ChangeEventAction.RESTORE, userDisplayName)
+
+        val definition = VulnerabilityResolutionDefinitionsTable.get(id)
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id) + definition.contextRunId,
+            "Vulnerability resolution definition restored."
+        )
+
+        definition
+    }
+
     suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
         VulnerabilityResolutionDefinitionsTable
             .getOrNull(id)

components/resolutions/backend/src/routes/kotlin/Routing.kt

@@ -23,6 +23,7 @@ import io.ktor.server.routing.Route
 
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolution
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.restoreVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 /** Add all resolutions routes. */
@@ -32,4 +33,5 @@ fun Route.resolutionsRoutes(
 ) {
     postVulnerabilityResolution(ortRunService, vulnerabilityResolutionDefinitionService)
     deleteVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
+    restoreVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
 }

components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/RestoreVulnerabilityResolution.kt

@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.post
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.restoreVulnerabilityResolution(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = post("/resolutions/vulnerabilities/{id}/restore", {
+    operationId = "restoreVulnerabilityResolution"
+    summary = "Restore a vulnerability resolution"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition."
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Restore Vulnerability Resolution") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                        comment = "Comment",
+                        archived = false,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-03T00:00:00Z"),
+                                ChangeEventAction.ARCHIVE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-04T00:00:00Z"),
+                                ChangeEventAction.RESTORE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.NoContent to {
+            description = "The vulnerability resolution is not archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id)
+
+    if (definition == null) throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (!definition.archived) {
+        call.respond(HttpStatusCode.NoContent, "The vulnerability resolution is not archived.")
+        return@post
+    }
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@post
+    }
+
+    val vulnerabilityResolutionDefinition =
+        vulnerabilityResolutionDefinitionService.restore(id, userDisplayName).mapToApi()
+
+    call.respond(HttpStatusCode.OK, vulnerabilityResolutionDefinition)
+}

components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt

@@ -211,6 +211,91 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
         }
     }
 
+    "restore" should {
+        "restore an archived vulnerability resolution definition" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            definitionService.archive(definitionId, userDisplayName)
+
+            val restoredDefinition = definitionService.restore(definitionId, userDisplayName)
+
+            with(restoredDefinition) {
+                archived shouldBe false
+                changes shouldHaveSize 3
+
+                with(changes[0]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes[1]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.ARCHIVE
+                }
+
+                with(changes[2]) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.RESTORE
+                }
+            }
+        }
+
+        "mark the affected runs as outdated" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val run2Id = fixtures.createOrtRun().id
+
+            val repositoryConfiguration = fixtures.createRepositoryConfiguration(run2Id)
+            fixtures.resolvedConfigurationRepository.addResolutions(run2Id, repositoryConfiguration.resolutions)
+
+            val run3Id = fixtures.createOrtRun().id
+
+            definitionService.archive(definitionId, userDisplayName)
+            definitionService.restore(definitionId, userDisplayName)
+
+            ortRunService.getOrtRun(runId).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition restored."
+            }
+
+            ortRunService.getOrtRun(run2Id).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition restored."
+            }
+
+            ortRunService.getOrtRun(run3Id).shouldNotBeNull {
+                outdated shouldBe false
+                outdatedMessage.shouldBeNull()
+            }
+        }
+    }
+
     "getById" should {
         "return the vulnerability resolution definition if it exists" {
             val userDisplayName = UserDisplayName(

components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt

@@ -148,4 +148,37 @@ class ResolutionsAuthorizationTest : AbstractAuthorizationTest({
             }
         }
     }
+
+    "RestoreVulnerabilityResolution" should {
+        "require role RepositoryPermission.WRITE.roleName(repositoryId)" {
+            val userDisplayName = UserDisplayName("abc", "Test")
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                createBody.idMatchers,
+                createBody.reason.mapToModel(),
+                createBody.comment
+            ).id
+
+            definitionService.archive(definitionId, userDisplayName)
+
+            requestShouldRequireRole(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                role = RepositoryPermission.WRITE.roleName(repositoryId)
+            ) {
+                post("/resolutions/vulnerabilities/$definitionId/restore")
+            }
+        }
+
+        "respond with 'Forbidden' when repository ID cannot be resolved" {
+            requestShouldRequireAuthentication(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                successStatus = HttpStatusCode.Forbidden
+            ) {
+                post("/resolutions/vulnerabilities/9999/restore")
+            }
+        }
+    }
 })