From 6943335f31a66164ebd6d4c8934136692f6b83a9 Mon Sep 17 00:00:00 2001
From: Antoine Vinot <antoine.vinot@sonarsource.com>
Date: Wed, 14 Dec 2022 11:46:51 +0100
Subject: [PATCH] SONAR-17671 Add description context key for taint
 vulnerabilities

---
 .../pushevent/PushEventFactory.java           | 18 ++++++------
 .../pushevent/TaintVulnerabilityRaised.java   | 12 ++++++--
 .../pushevent/PushEventFactoryTest.java       | 29 +++++++++++++++++--
 .../org/sonar/db/issue/IssueMapper.xml        |  3 +-
 .../sonar/server/issue/ws/BasePullAction.java |  2 +-
 ...ullTaintActionProtobufObjectGenerator.java |  1 +
 .../server/issue/ws/pull-taint-example.proto  |  2 ++
 .../server/issue/ws/PullTaintActionTest.java  | 10 +++++--
 sonar-ws/src/main/protobuf/ws-issues.proto    |  1 +
 9 files changed, 60 insertions(+), 18 deletions(-)

diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactory.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactory.java
index 30b12214562..85e5218b402 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactory.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactory.java
@@ -99,22 +99,22 @@ public class PushEventFactory {
     event.setSeverity(issue.severity());
     event.setRuleKey(issue.getRuleKey().toString());
     event.setType(issue.type().name());
-
     event.setBranch(analysisMetadataHolder.getBranch().getName());
+    event.setMainLocation(prepareMainLocation(component, issue));
+    event.setFlows(flowGenerator.convertFlows(component.getName(), requireNonNull(issue.getLocations())));
+    issue.getRuleDescriptionContextKey().ifPresent(event::setRuleDescriptionContextKey);
+    return event;
+  }
 
+  private static Location prepareMainLocation(Component component, DefaultIssue issue) {
     DbIssues.Locations issueLocations = requireNonNull(issue.getLocations());
+    TextRange mainLocationTextRange = getTextRange(issueLocations.getTextRange(), issueLocations.getChecksum());
 
     Location mainLocation = new Location();
-    mainLocation.setMessage(issue.getMessage());
-
+    Optional.ofNullable(issue.getMessage()).ifPresent(mainLocation::setMessage);
     mainLocation.setFilePath(component.getName());
-
-    TextRange mainLocationTextRange = getTextRange(issueLocations.getTextRange(), issueLocations.getChecksum());
     mainLocation.setTextRange(mainLocationTextRange);
-    event.setMainLocation(mainLocation);
-
-    event.setFlows(flowGenerator.convertFlows(component.getName(), issueLocations));
-    return event;
+    return mainLocation;
   }
 
   private static PushEventDto raiseTaintVulnerabilityClosedEvent(String projectUuid, DefaultIssue issue) {
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/TaintVulnerabilityRaised.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/TaintVulnerabilityRaised.java
index a3ddd139ef6..d490bcf7fb7 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/TaintVulnerabilityRaised.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/pushevent/TaintVulnerabilityRaised.java
@@ -20,6 +20,7 @@
 package org.sonar.ce.task.projectanalysis.pushevent;
 
 import java.util.List;
+import java.util.Optional;
 import org.sonar.ce.task.projectanalysis.locations.flow.Flow;
 import org.sonar.ce.task.projectanalysis.locations.flow.Location;
 
@@ -32,10 +33,9 @@ public class TaintVulnerabilityRaised {
   private String ruleKey;
   private String severity;
   private String type;
-
   private Location mainLocation;
-
   private List<Flow> flows;
+  private String ruleDescriptionContextKey;
 
   public TaintVulnerabilityRaised() {
     // nothing to do
@@ -112,4 +112,12 @@ public class TaintVulnerabilityRaised {
   public void setFlows(List<Flow> flows) {
     this.flows = flows;
   }
+
+  public Optional<String> getRuleDescriptionContextKey() {
+    return Optional.ofNullable(ruleDescriptionContextKey);
+  }
+
+  public void setRuleDescriptionContextKey(String ruleDescriptionContextKey) {
+    this.ruleDescriptionContextKey = ruleDescriptionContextKey;
+  }
 }
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactoryTest.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactoryTest.java
index 1b4a04e3d5d..55959eb9a8f 100644
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactoryTest.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/pushevent/PushEventFactoryTest.java
@@ -19,6 +19,8 @@
  */
 package org.sonar.ce.task.projectanalysis.pushevent;
 
+import com.google.gson.Gson;
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.List;
 import org.junit.Before;
@@ -39,19 +41,24 @@ import org.sonar.db.protobuf.DbCommons;
 import org.sonar.db.protobuf.DbIssues;
 import org.sonar.server.issue.TaintChecker;
 
+import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 public class PushEventFactoryTest {
 
+  private static final Gson gson = new Gson();
+  private static final String BRANCH_NAME = "develop";
+
   private final TaintChecker taintChecker = mock(TaintChecker.class);
   @Rule
   public MutableTreeRootHolderRule treeRootHolder = new MutableTreeRootHolderRule();
   @Rule
   public AnalysisMetadataHolderRule analysisMetadataHolder = new AnalysisMetadataHolderRule()
-    .setBranch(new TestBranch("develop"));
+    .setBranch(new TestBranch(BRANCH_NAME));
 
   private final FlowGenerator flowGenerator = new FlowGenerator(treeRootHolder);
   private final PushEventFactory underTest = new PushEventFactory(treeRootHolder, analysisMetadataHolder, taintChecker, flowGenerator);
@@ -67,19 +74,35 @@ public class PushEventFactoryTest {
   @Test
   public void raise_event_to_repository_if_taint_vulnerability_is_new() {
     DefaultIssue defaultIssue = createDefaultIssue()
-      .setNew(true);
+      .setNew(true)
+      .setRuleDescriptionContextKey(randomAlphabetic(6));
 
     assertThat(underTest.raiseEventOnIssue("some-project-uuid", defaultIssue))
       .isNotEmpty()
       .hasValueSatisfying(pushEventDto -> {
         assertThat(pushEventDto.getName()).isEqualTo("TaintVulnerabilityRaised");
-        assertThat(pushEventDto.getPayload()).isNotNull();
+        verifyPayload(pushEventDto.getPayload(), defaultIssue);
         assertThat(pushEventDto.getLanguage()).isEqualTo("java");
         assertThat(pushEventDto.getProjectUuid()).isEqualTo("some-project-uuid");
       });
 
   }
 
+  private static void verifyPayload(byte[] payload, DefaultIssue defaultIssue) {
+    assertThat(payload).isNotNull();
+
+    TaintVulnerabilityRaised taintVulnerabilityRaised = gson.fromJson(new String(payload, StandardCharsets.UTF_8), TaintVulnerabilityRaised.class);
+    assertThat(taintVulnerabilityRaised.getProjectKey()).isEqualTo(defaultIssue.projectKey());
+    assertThat(taintVulnerabilityRaised.getCreationDate()).isEqualTo(defaultIssue.creationDate().getTime());
+    assertThat(taintVulnerabilityRaised.getKey()).isEqualTo(defaultIssue.key());
+    assertThat(taintVulnerabilityRaised.getSeverity()).isEqualTo(defaultIssue.severity());
+    assertThat(taintVulnerabilityRaised.getRuleKey()).isEqualTo(defaultIssue.ruleKey().toString());
+    assertThat(taintVulnerabilityRaised.getType()).isEqualTo(defaultIssue.type().name());
+    assertThat(taintVulnerabilityRaised.getBranch()).isEqualTo(BRANCH_NAME);
+    String ruleDescriptionContextKey = taintVulnerabilityRaised.getRuleDescriptionContextKey().orElseGet(() -> fail("No rule description context key"));
+    assertThat(ruleDescriptionContextKey).isEqualTo(defaultIssue.getRuleDescriptionContextKey().orElse(null));
+  }
+
   @Test
   public void raise_event_to_repository_if_taint_vulnerability_is_reopened() {
     DefaultIssue defaultIssue = createDefaultIssue()
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/issue/IssueMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/issue/IssueMapper.xml
index 655c142af2e..b8126c88f96 100644
--- a/server/sonar-db-dao/src/main/resources/org/sonar/db/issue/IssueMapper.xml
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/issue/IssueMapper.xml
@@ -702,7 +702,8 @@
     i.issue_type as type,
     i.locations as locations,
     i.component_uuid as component_uuid,
-    i.assignee as assigneeUuid
+    i.assignee as assigneeUuid,
+    i.rule_description_context_key as ruleDescriptionContextKey
   </sql>
 
   <select id="selectByBranch" parameterType="map" resultType="Issue">
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/BasePullAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/BasePullAction.java
index c7cfe150309..4503c9e67b4 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/BasePullAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/BasePullAction.java
@@ -86,7 +86,7 @@ public abstract class BasePullAction implements IssuesWsAction {
       .setInternal(true)
       .setResponseExample(getClass().getResource(resourceExample))
       .setDescription(format("This endpoint fetches and returns all (unless filtered by optional params) the %s for a given branch. " +
-        "The %s returned are not paginated, so the response size can be big.", issueType, issueType))
+        "The %s returned are not paginated, so the response size can be big. Requires project 'Browse' permission.", issueType, issueType))
       .setSince(sinceVersion);
 
     action.createParam(PROJECT_KEY_PARAM)
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/pull/PullTaintActionProtobufObjectGenerator.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/pull/PullTaintActionProtobufObjectGenerator.java
index 0647cc9880c..3767094ad10 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/pull/PullTaintActionProtobufObjectGenerator.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/issue/ws/pull/PullTaintActionProtobufObjectGenerator.java
@@ -96,6 +96,7 @@ public class PullTaintActionProtobufObjectGenerator implements ProtobufObjectGen
     taintBuilder.setType(Common.RuleType.forNumber(issueDto.getType()));
     taintBuilder.setClosed(false);
     taintBuilder.setMainLocation(locationBuilder.build());
+    issueDto.getOptionalRuleDescriptionContextKey().ifPresent(taintBuilder::setRuleDescriptionContextKey);
 
     return taintBuilder.build();
   }
diff --git a/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/issue/ws/pull-taint-example.proto b/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/issue/ws/pull-taint-example.proto
index fc9d872c01a..05fb3bf1677 100644
--- a/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/issue/ws/pull-taint-example.proto
+++ b/server/sonar-webserver-webapi/src/main/resources/org/sonar/server/issue/ws/pull-taint-example.proto
@@ -13,6 +13,8 @@ message TaintLite {
   optional Location mainLocation = 7;
   optional bool closed = 8;
   optional Flow flows = 9;
+  optional bool assignedToSubscribedUser = 10;
+  optional string ruleDescriptionContextKey = 11;
 }
 
 message Location {
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/PullTaintActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/PullTaintActionTest.java
index 5a8ad622255..7ec6fa652c7 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/PullTaintActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/issue/ws/PullTaintActionTest.java
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
+import org.apache.commons.lang.RandomStringUtils;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -54,6 +55,7 @@ import org.sonarqube.ws.Common;
 import org.sonarqube.ws.Issues;
 
 import static java.lang.String.format;
+import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.mock;
@@ -387,6 +389,7 @@ public class PullTaintActionTest {
     RuleDto javaRule = db.rules().insert(r -> r.setRepositoryKey("javasecurity"));
     RuleDto javaScriptRule = db.rules().insert(r -> r.setRepositoryKey("javascript"));
 
+    String ruledescriptionContextKey = randomAlphabetic(6);
     IssueDto issueDto = issueDbTester.insertIssue(p -> p.setSeverity("MINOR")
       .setManualSeverity(true)
       .setMessage("openIssue")
@@ -395,7 +398,8 @@ public class PullTaintActionTest {
       .setStatus(Issue.STATUS_OPEN)
       .setProject(correctProject)
       .setComponent(correctFile)
-      .setType(2));
+      .setType(2)
+      .setRuleDescriptionContextKey(ruledescriptionContextKey));
 
     //this one should not be returned - it is a normal issue, no taint
     issueDbTester.insertIssue(p -> p.setSeverity("MINOR")
@@ -416,7 +420,9 @@ public class PullTaintActionTest {
     List<Issues.TaintVulnerabilityLite> taints = readAllTaint(response);
 
     assertThat(taints).hasSize(1);
-    assertThat(taints.get(0).getKey()).isEqualTo(issueDto.getKey());
+    Issues.TaintVulnerabilityLite taintVulnerabilityLite = taints.get(0);
+    assertThat(taintVulnerabilityLite.getKey()).isEqualTo(issueDto.getKey());
+    assertThat(taintVulnerabilityLite.getRuleDescriptionContextKey()).isEqualTo(ruledescriptionContextKey);
   }
 
   @Test
diff --git a/sonar-ws/src/main/protobuf/ws-issues.proto b/sonar-ws/src/main/protobuf/ws-issues.proto
index 3a99824f6b4..b03e72200b1 100644
--- a/sonar-ws/src/main/protobuf/ws-issues.proto
+++ b/sonar-ws/src/main/protobuf/ws-issues.proto
@@ -286,6 +286,7 @@ message TaintVulnerabilityLite {
   optional bool closed = 8;
   repeated Flow flows = 9;
   optional bool assignedToSubscribedUser = 10;
+  optional string ruleDescriptionContextKey = 11;
 }
 
 message Flow {
-- 
2.39.5