feat: Allow to archive vulnerability resolutions

Implement deleting a vulnerability resolution by archiving the item, i.e.
with soft deletion. The resolution will be marked as archived, which means
that on new runs, the resolution won't be injected in the repository
configuration anymore.

The resolution will still be a part of the results of any run where it was
injected earlier, and the information that it originated from a definition
on the server is retained.

Relates to #1009.

Signed-off-by: Johanna Lamppu <[email protected]>

Author: lamppu

components/resolutions/backend/src/main/kotlin/VulnerabilityResolutionDefinitionService.kt

@@ -20,6 +20,8 @@
 package org.eclipse.apoapsis.ortserver.components.resolutions
 
 import org.eclipse.apoapsis.ortserver.dao.dbQuery
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsTable
+import org.eclipse.apoapsis.ortserver.dao.repositories.repositoryconfiguration.RepositoryConfigurationsVulnerabilityResolutionsTable
 import org.eclipse.apoapsis.ortserver.dao.repositories.userDisplayName.UserDisplayNameDao
 import org.eclipse.apoapsis.ortserver.dao.tables.ChangeLogTable
 import org.eclipse.apoapsis.ortserver.dao.tables.VulnerabilityResolutionDefinitionsTable
@@ -29,6 +31,7 @@ import org.eclipse.apoapsis.ortserver.model.RepositoryId
 import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionDefinition
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.model.util.asPresent
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
 import org.jetbrains.exposed.sql.Database
@@ -60,6 +63,29 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
         VulnerabilityResolutionDefinitionsTable.get(id)
     }
 
+    suspend fun archive(id: Long, userDisplayName: UserDisplayName): VulnerabilityResolutionDefinition = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable.updateDefinition(
+            id,
+            archivedInput = true.asPresent()
+        )
+
+        addChangeLogEvent(id, ChangeEventAction.ARCHIVE, userDisplayName)
+
+        val definition = VulnerabilityResolutionDefinitionsTable.get(id)
+
+        ortRunService.markAsOutdated(
+            getAffectedRuns(id) + definition.contextRunId,
+            "Vulnerability resolution definition archived."
+        )
+
+        definition
+    }
+
+    suspend fun getById(id: Long): VulnerabilityResolutionDefinition? = db.dbQuery {
+        VulnerabilityResolutionDefinitionsTable
+            .getOrNull(id)
+    }
+
     private fun addChangeLogEvent(
         entityId: Long,
         action: ChangeEventAction,
@@ -75,4 +101,17 @@ class VulnerabilityResolutionDefinitionService(private val db: Database, private
             action
         )
     }
+
+    private fun getAffectedRuns(
+        definitionId: Long
+    ): List<Long> {
+        return RepositoryConfigurationsVulnerabilityResolutionsTable
+            .innerJoin(RepositoryConfigurationsTable)
+            .select(RepositoryConfigurationsTable.ortRunId)
+            .where {
+                RepositoryConfigurationsVulnerabilityResolutionsTable.vulnerabilityResolutionDefinitionId eq
+                        definitionId
+            }
+            .map { it[RepositoryConfigurationsTable.ortRunId].value }
+    }
 }

components/resolutions/backend/src/routes/kotlin/Routing.kt

@@ -21,6 +21,7 @@ package org.eclipse.apoapsis.ortserver.components.resolutions
 
 import io.ktor.server.routing.Route
 
+import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.deleteVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities.postVulnerabilityResolution
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
 
@@ -30,4 +31,5 @@ fun Route.resolutionsRoutes(
     vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
 ) {
     postVulnerabilityResolution(ortRunService, vulnerabilityResolutionDefinitionService)
+    deleteVulnerabilityResolution(vulnerabilityResolutionDefinitionService)
 }

components/resolutions/backend/src/routes/kotlin/routes/vulnerabilities/DeleteVulnerabilityResolution.kt

@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2025 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.components.resolutions.routes.vulnerabilities
+
+import io.github.smiley4.ktoropenapi.delete
+
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.auth.principal
+import io.ktor.server.response.respond
+import io.ktor.server.routing.Route
+
+import kotlinx.datetime.Instant
+
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.AuthorizationException
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.OrtPrincipal
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getFullName
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUserId
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.getUsername
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.permissions.RepositoryPermission
+import org.eclipse.apoapsis.ortserver.components.authorization.keycloak.requirePermission
+import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName as ModelUserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToApi
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEvent
+import org.eclipse.apoapsis.ortserver.shared.apimodel.ChangeEventAction
+import org.eclipse.apoapsis.ortserver.shared.apimodel.UserDisplayName
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionDefinition
+import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.jsonBody
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.requireIdParameter
+import org.eclipse.apoapsis.ortserver.shared.ktorutils.respondError
+
+internal fun Route.deleteVulnerabilityResolution(
+    vulnerabilityResolutionDefinitionService: VulnerabilityResolutionDefinitionService
+) = delete("/resolutions/vulnerabilities/{id}", {
+    operationId = "deleteVulnerabilityResolution"
+    summary = "Delete a vulnerability resolution"
+    tags = listOf("Resolutions")
+
+    request {
+        pathParameter<Long>("id") {
+            description = "The ID of the vulnerability resolution definition"
+        }
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success"
+
+            jsonBody<VulnerabilityResolutionDefinition> {
+                example("Delete Vulnerability Resolution") {
+                    value = VulnerabilityResolutionDefinition(
+                        id = 1,
+                        idMatchers = listOf("CVE-2020-15250", "GHSA-269g-pwp5-87pp"),
+                        reason = VulnerabilityResolutionReason.WILL_NOT_FIX_VULNERABILITY,
+                        comment = "Comment",
+                        archived = true,
+                        changes = listOf(
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-01T00:00:00Z"),
+                                ChangeEventAction.CREATE
+                            ),
+                            ChangeEvent(
+                                user = UserDisplayName(username = "User"),
+                                occurredAt = Instant.parse("2024-01-02T00:00:00Z"),
+                                ChangeEventAction.ARCHIVE
+                            )
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.NoContent to {
+            description = "The vulnerability resolution was already archived."
+        }
+    }
+}) {
+    val id = call.requireIdParameter("id")
+
+    val definition = vulnerabilityResolutionDefinitionService.getById(id) ?: throw AuthorizationException()
+
+    requirePermission(RepositoryPermission.WRITE.roleName(definition.hierarchyId.value))
+
+    if (definition.archived) {
+        call.respond(HttpStatusCode.NoContent, "The vulnerability resolution was already archived.")
+        return@delete
+    }
+
+    // Extract the user information from the principal.
+    val userDisplayName = call.principal<OrtPrincipal>()?.let { principal ->
+        ModelUserDisplayName(principal.getUserId(), principal.getUsername(), principal.getFullName())
+    }
+
+    if (userDisplayName == null) {
+        call.respondError(HttpStatusCode.InternalServerError, "Unable to resolve user display name from token.")
+        return@delete
+    }
+
+    val archivedDefinition = vulnerabilityResolutionDefinitionService.archive(id, userDisplayName).mapToApi()
+
+    call.respond(HttpStatusCode.OK, archivedDefinition)
+}

components/resolutions/backend/src/test/kotlin/VulnerabilityResolutionDefinitionServiceTest.kt

@@ -21,6 +21,7 @@ package org.eclipse.apoapsis.ortserver.components.resolutions
 
 import io.kotest.core.spec.style.WordSpec
 import io.kotest.matchers.collections.shouldHaveSize
+import io.kotest.matchers.nulls.shouldBeNull
 import io.kotest.matchers.nulls.shouldNotBeNull
 import io.kotest.matchers.shouldBe
 
@@ -132,4 +133,106 @@ class VulnerabilityResolutionDefinitionServiceTest : WordSpec({
             }
         }
     }
+
+    "archive" should {
+        "archive a vulnerability resolution definition" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val archivedDefinition = definitionService.archive(definitionId, userDisplayName)
+
+            with(archivedDefinition) {
+                archived shouldBe true
+                changes shouldHaveSize 2
+
+                with(changes.first()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.CREATE
+                }
+
+                with(changes.last()) {
+                    user shouldBe userDisplayName
+                    action shouldBe ChangeEventAction.ARCHIVE
+                }
+            }
+        }
+
+        "mark the affected runs as outdated" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            ).id
+
+            val run2Id = fixtures.createOrtRun().id
+
+            val repositoryConfiguration = fixtures.createRepositoryConfiguration(run2Id)
+            fixtures.resolvedConfigurationRepository.addResolutions(run2Id, repositoryConfiguration.resolutions)
+
+            val run3Id = fixtures.createOrtRun().id
+
+            definitionService.archive(definitionId, userDisplayName)
+
+            ortRunService.getOrtRun(runId).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition archived."
+            }
+
+            ortRunService.getOrtRun(run2Id).shouldNotBeNull {
+                outdated shouldBe true
+                outdatedMessage shouldBe "Vulnerability resolution definition archived."
+            }
+
+            ortRunService.getOrtRun(run3Id).shouldNotBeNull {
+                outdated shouldBe false
+                outdatedMessage.shouldBeNull()
+            }
+        }
+    }
+
+    "getById" should {
+        "return the vulnerability resolution definition if it exists" {
+            val userDisplayName = UserDisplayName(
+                "abc",
+                "Test",
+                "Test User"
+            )
+
+            val definition = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                userDisplayName,
+                listOf("CVE-2020-15250"),
+                VulnerabilityResolutionReason.INEFFECTIVE_VULNERABILITY,
+                "Comment."
+            )
+
+            definitionService.getById(definition.id) shouldBe definition
+        }
+
+        "return null if the vulnerability resolution definition doesn't exist" {
+            definitionService.getById(1) shouldBe null
+        }
+    }
 })

components/resolutions/backend/src/test/kotlin/routes/ResolutionsAuthorizationTest.kt

@@ -19,6 +19,7 @@
 
 package org.eclipse.apoapsis.ortserver.components.resolutions.routes
 
+import io.ktor.client.request.delete
 import io.ktor.client.request.post
 import io.ktor.client.request.setBody
 import io.ktor.http.HttpStatusCode
@@ -30,7 +31,10 @@ import org.eclipse.apoapsis.ortserver.components.resolutions.PostVulnerabilityRe
 import org.eclipse.apoapsis.ortserver.components.resolutions.VulnerabilityResolutionDefinitionService
 import org.eclipse.apoapsis.ortserver.components.resolutions.resolutionsRoutes
 import org.eclipse.apoapsis.ortserver.dao.test.Fixtures
+import org.eclipse.apoapsis.ortserver.model.RepositoryId
+import org.eclipse.apoapsis.ortserver.model.UserDisplayName
 import org.eclipse.apoapsis.ortserver.services.ortrun.OrtRunService
+import org.eclipse.apoapsis.ortserver.shared.apimappings.mapToModel
 import org.eclipse.apoapsis.ortserver.shared.apimodel.VulnerabilityResolutionReason
 import org.eclipse.apoapsis.ortserver.shared.ktorutils.AbstractAuthorizationTest
 
@@ -115,4 +119,33 @@ class ResolutionsAuthorizationTest : AbstractAuthorizationTest({
             }
         }
     }
+
+    "DeleteVulnerabilityResolution" should {
+        "require role RepositoryPermission.WRITE.roleName(repositoryId)" {
+            val definitionId = definitionService.create(
+                RepositoryId(repositoryId),
+                runId,
+                UserDisplayName("abc", "Test"),
+                createBody.idMatchers,
+                createBody.reason.mapToModel(),
+                createBody.comment
+            ).id
+
+            requestShouldRequireRole(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                role = RepositoryPermission.WRITE.roleName(repositoryId)
+            ) {
+                delete("/resolutions/vulnerabilities/$definitionId")
+            }
+        }
+
+        "respond with 'Forbidden' when repository id cannot be resolved" {
+            requestShouldRequireAuthentication(
+                routes = { resolutionsRoutes(ortRunService, definitionService) },
+                successStatus = HttpStatusCode.Forbidden
+            ) {
+                delete("/resolutions/vulnerabilities/9999")
+            }
+        }
+    }
 })