From f4fbfe9415a713bd0df9c3f964591b3b7418c1d8 Mon Sep 17 00:00:00 2001
From: Julien HENRY <julien.henry@sonarsource.com>
Date: Thu, 14 Nov 2024 16:13:35 +0100
Subject: [PATCH] SONAR-23623 Remove useless remains of the SCA prototype

---
 .../step/PersistCveStepIT.java                | 178 ------------------
 .../batch/BatchReportReader.java              |   2 -
 .../batch/BatchReportReaderImpl.java          |   6 -
 .../issue/TrackerRawInputFactory.java         |   3 -
 .../projectanalysis/step/PersistCveStep.java  | 131 -------------
 .../step/ReportComputationSteps.java          |   1 -
 .../batch/BatchReportReaderImplTest.java      |  25 ---
 .../batch/BatchReportReaderRule.java          |  11 --
 .../issue/internal/DefaultExternalIssue.java  |  10 -
 .../sonar/scanner/issue/IssuePublisher.java   |   5 -
 .../scanner/mediumtest/AnalysisResult.java    |   4 -
 .../protocol/output/FileStructure.java        |   4 -
 .../protocol/output/ScannerReportReader.java  |   8 -
 .../protocol/output/ScannerReportWriter.java  |   5 -
 .../viewer/ScannerReportViewerApp.java        |  21 ---
 .../src/main/protobuf/scanner_report.proto    |  26 +--
 .../output/ScannerReportWriterTest.java       |  27 +--
 17 files changed, 9 insertions(+), 458 deletions(-)
 delete mode 100644 server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
 delete mode 100644 server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java

diff --git a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java b/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
deleted file mode 100644
index faca0e5bfe6..00000000000
--- a/server/sonar-ce-task-projectanalysis/src/it/java/org/sonar/ce/task/projectanalysis/step/PersistCveStepIT.java
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.ce.task.projectanalysis.step;
-
-import java.util.List;
-import java.util.Set;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.RegisterExtension;
-import org.sonar.api.utils.System2;
-import org.sonar.ce.task.projectanalysis.batch.BatchReportReaderRule;
-import org.sonar.ce.task.step.TestComputationStepContext;
-import org.sonar.core.util.UuidFactory;
-import org.sonar.core.util.UuidFactoryImpl;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.dependency.CveCweDto;
-import org.sonar.db.dependency.CveDto;
-import org.sonar.scanner.protocol.output.ScannerReport.Cve;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.fail;
-
-class PersistCveStepIT {
-
-  @RegisterExtension
-  private final DbTester db = DbTester.create(System2.INSTANCE);
-
-  @RegisterExtension
-  private final BatchReportReaderRule batchReportReader = new BatchReportReaderRule();
-
-  private final DbSession dbSession = db.getSession();
-  private final DbClient dbClient = db.getDbClient();
-  private final UuidFactory uuidFactory = UuidFactoryImpl.INSTANCE;
-
-  private PersistCveStep persistCveStep;
-
-  @BeforeEach
-  void setUp() {
-    persistCveStep = new PersistCveStep(batchReportReader, dbClient, uuidFactory, System2.INSTANCE);
-  }
-
-  @Test
-  void getDescription_shouldReturnStepDescription() {
-    assertThat(persistCveStep.getDescription()).isEqualTo("Persist CVEs");
-  }
-
-  @Test
-  void execute_shouldInsertNewCVEs() {
-    Cve cve1 = buildCve("1").build();
-    Cve cve2 = buildCve("2").build();
-    Cve cveAllOptionalEmpty = Cve.newBuilder().setCveId("CVE-empty").setDescription("Empty CVE").build();
-    batchReportReader.putCves(List.of(cve1, cve2, cveAllOptionalEmpty));
-
-    persistCveStep.execute(new TestComputationStepContext());
-
-    assertCvePersistedInDatabase(cve1);
-    assertCvePersistedInDatabase(cve2);
-    assertCvePersistedInDatabase(cveAllOptionalEmpty);
-  }
-
-  private void assertCvePersistedInDatabase(Cve cve) {
-    CveDto cveDto = dbClient.cveDao().selectById(dbSession, cve.getCveId())
-      .orElseGet(() -> fail(String.format("CVE with id %s not found", cve.getCveId())));
-    assertThat(cveDto.id()).isEqualTo(cve.getCveId());
-    assertThat(cveDto.description()).isEqualTo(cve.getDescription());
-    if (cve.hasCvssScore()) {
-      assertThat(cveDto.cvssScore()).isEqualTo(cve.getCvssScore());
-    } else {
-      assertThat(cveDto.cvssScore()).isNull();
-    }
-    if (cve.hasEpssScore()) {
-      assertThat(cveDto.epssScore()).isEqualTo(cve.getEpssScore());
-    } else {
-      assertThat(cveDto.epssScore()).isNull();
-    }
-    if (cve.hasEpssPercentile()) {
-      assertThat(cveDto.epssPercentile()).isEqualTo(cve.getEpssPercentile());
-    } else {
-      assertThat(cveDto.epssPercentile()).isNull();
-    }
-    if (cve.hasPublishedDate()) {
-      assertThat(cveDto.publishedAt()).isEqualTo(cve.getPublishedDate());
-    } else {
-      assertThat(cveDto.publishedAt()).isNull();
-    }
-    if (cve.hasLastModifiedDate()) {
-      assertThat(cveDto.lastModifiedAt()).isEqualTo(cve.getLastModifiedDate());
-    } else {
-      assertThat(cveDto.lastModifiedAt()).isNull();
-    }
-    assertThat(cveDto.uuid()).isNotBlank();
-    assertThat(cveDto.createdAt()).isNotNull();
-    assertThat(cveDto.updatedAt()).isNotNull();
-  }
-
-  @Test
-  void execute_shoudUpdateExistingCves() {
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 10.0, 20.0, 30.0, 0L, 0L, 0L, 0L));
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-2", "CVE-2", "Old description 2", null, null, null, null, null, 0L, 0L));
-    db.commit();
-    Cve cve1 = buildCve("1").build();
-    Cve cve2 = buildCve("2").build();
-    batchReportReader.putCves(List.of(cve1, cve2));
-
-    persistCveStep.execute(new TestComputationStepContext());
-
-    assertThat(db.countRowsOfTable(dbSession, "cves")).isEqualTo(2);
-    assertCvePersistedInDatabase(cve1);
-    assertCvePersistedInDatabase(cve2);
-  }
-
-  @Test
-  void execute_shouldInsertCwes_whenNewCVEs() {
-    Cve cve1 = buildCve("1").addCwe("CWE-11").addCwe("CWE-12").build();
-    Cve cve2 = buildCve("2").addCwe("CWE-11").build();
-    batchReportReader.putCves(List.of(cve1, cve2));
-
-    persistCveStep.execute(new TestComputationStepContext());
-
-    assertCveHasExactlyCwes(cve1, "CWE-11", "CWE-12");
-    assertCveHasExactlyCwes(cve2, "CWE-11");
-  }
-
-  @Test
-  void execute_shouldUpdateExistingCwesAndInsertNewOnes_whenUpdatingCVEs() {
-    dbClient.cveDao().insert(dbSession, new CveDto("cve-uuid-1", "CVE-1", "Old description 1", 0.0, 0.0, 0.0, 0L, 0L, 0L, 0L));
-    dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-1"));
-    dbClient.cveCweDao().insert(dbSession, new CveCweDto("cve-uuid-1", "CWE-2"));
-    db.commit();
-    Cve cve = buildCve("1").addCwe("CWE-2").addCwe("CWE-3").build();
-    batchReportReader.putCves(List.of(cve));
-
-    persistCveStep.execute(new TestComputationStepContext());
-
-    assertCveHasExactlyCwes(cve, "CWE-2", "CWE-3");
-  }
-
-  private void assertCveHasExactlyCwes(Cve cve, String... cwes) {
-    Set<String> cweInDb = dbClient.cveCweDao().selectByCveUuid(dbSession, getCveUuid(cve.getCveId()));
-    assertThat(cweInDb).containsExactlyInAnyOrder(cwes);
-  }
-
-  private String getCveUuid(String cveId) {
-    return dbClient.cveDao().selectById(dbSession, cveId)
-      .map(CveDto::uuid)
-      .orElseGet(() -> fail("CVE not found"));
-  }
-
-  private static Cve.Builder buildCve(String suffix) {
-    return Cve.newBuilder()
-      .setCveId("CVE-"+suffix)
-      .setCvssScore(7.5F)
-      .setEpssScore(0.1F)
-      .setEpssPercentile(0.4F)
-      .setDescription("Some CVE description "+suffix)
-      .setLastModifiedDate(5L)
-      .setPublishedDate(4L);
-  }
-}
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
index f59adf02fd0..990a2c4fda6 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReader.java
@@ -71,8 +71,6 @@ public interface BatchReportReader {
 
   CloseableIterator<ScannerReport.AnalysisWarning> readAnalysisWarnings();
 
-  CloseableIterator<ScannerReport.Cve> readCves();
-
   CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries();
 
   CloseableIterator<ScannerReport.Dependency> readDependencies();
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
index ee5ac203150..da93123366e 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImpl.java
@@ -228,12 +228,6 @@ public class BatchReportReaderImpl implements BatchReportReader {
     return delegate.readAnalysisWarnings();
   }
 
-  @Override
-  public CloseableIterator<ScannerReport.Cve> readCves() {
-    ensureInitialized();
-    return delegate.readCves();
-  }
-
   @Override
   public CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries() {
     ensureInitialized();
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
index 4f014fde255..3100a1368b6 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/issue/TrackerRawInputFactory.java
@@ -270,9 +270,6 @@ public class TrackerRawInputFactory {
       }
       issue.setIsFromExternalRuleEngine(true);
       issue.setLocations(dbLocationsBuilder.build());
-      if (reportExternalIssue.hasCveId()) {
-        issue.setCveId(reportExternalIssue.getCveId());
-      }
 
       return issue;
     }
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
deleted file mode 100644
index 304c7280e7a..00000000000
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/PersistCveStep.java
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2024 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.ce.task.projectanalysis.step;
-
-import java.util.HashSet;
-import java.util.Set;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.sonar.api.utils.System2;
-import org.sonar.ce.task.projectanalysis.batch.BatchReportReader;
-import org.sonar.ce.task.step.ComputationStep;
-import org.sonar.core.util.CloseableIterator;
-import org.sonar.core.util.UuidFactory;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.dependency.CveCweDto;
-import org.sonar.db.dependency.CveDto;
-import org.sonar.scanner.protocol.output.ScannerReport;
-
-/**
- * Step that persists CVEs and their CWEs in the database.
- * CVEs are inserted or updated in the database based on the information from the scanner report.
- * If CWEs need to be updated, we simply remove all CWEs from the CVE and insert what is sent by the scanner.
- */
-public class PersistCveStep implements ComputationStep {
-
-  private static final Logger LOG = LoggerFactory.getLogger(PersistCveStep.class);
-
-  private final BatchReportReader batchReportReader;
-  private final DbClient dbClient;
-  private final UuidFactory uuidFactory;
-  private final System2 system2;
-
-  public PersistCveStep(BatchReportReader batchReportReader, DbClient dbClient, UuidFactory uuidFactory, System2 system2) {
-    this.batchReportReader = batchReportReader;
-    this.dbClient = dbClient;
-    this.uuidFactory = uuidFactory;
-    this.system2 = system2;
-  }
-
-  @Override
-  public String getDescription() {
-    return "Persist CVEs";
-  }
-
-  @Override
-  public void execute(Context context) {
-    int count = 0;
-    try (DbSession dbSession = dbClient.openSession(false);
-      CloseableIterator<ScannerReport.Cve> batchCves = batchReportReader.readCves()) {
-      while (batchCves.hasNext()) {
-        updateOrInsertCve(dbSession, batchCves.next());
-        count++;
-      }
-      LOG.debug("{} CVEs were imported/updated", count);
-      dbSession.commit();
-    } catch (Exception exception) {
-      throw new IllegalStateException(String.format("CVEs import failed after processing %d CVEs successfully", count), exception);
-    }
-  }
-
-  private void updateOrInsertCve(DbSession dbSession, ScannerReport.Cve scannerCve) {
-    dbClient.cveDao().selectById(dbSession, scannerCve.getCveId())
-      .ifPresentOrElse(
-        cveDto -> updateCve(dbSession, cveDto, scannerCve),
-        () -> insertCve(dbSession, scannerCve));
-  }
-
-  private void updateCve(DbSession dbSession, CveDto cveInDb, ScannerReport.Cve scannerCve) {
-    CveDto dtoForUpdate = toDtoForUpdate(scannerCve, cveInDb);
-    dbClient.cveDao().update(dbSession, dtoForUpdate);
-    String cveUuid = cveInDb.uuid();
-    deleteThenInsertCwesIfUpdated(dbSession, scannerCve, cveUuid);
-  }
-
-  private CveDto toDtoForUpdate(ScannerReport.Cve cve, CveDto cveInDb) {
-    return toDto(cve, cveInDb.uuid(), cveInDb.createdAt(), system2.now());
-  }
-
-  private void deleteThenInsertCwesIfUpdated(DbSession dbSession, ScannerReport.Cve scannerCve, String cveUuid) {
-    Set<String> cweInDb = dbClient.cveCweDao().selectByCveUuid(dbSession, cveUuid);
-    Set<String> cweFromReport = new HashSet<>(scannerCve.getCweList());
-    if (!cweInDb.equals(cweFromReport)) {
-      dbClient.cveCweDao().deleteByCveUuid(dbSession, cveUuid);
-      cweFromReport.forEach(cwe -> dbClient.cveCweDao().insert(dbSession, new CveCweDto(cveUuid, cwe)));
-    }
-  }
-
-  private void insertCve(DbSession dbSession, ScannerReport.Cve scannerCve) {
-    CveDto dtoForInsert = toDtoForInsert(scannerCve);
-    dbClient.cveDao().insert(dbSession, dtoForInsert);
-    scannerCve.getCweList().forEach(cwe -> dbClient.cveCweDao().insert(dbSession, new CveCweDto(dtoForInsert.uuid(), cwe)));
-  }
-
-  private CveDto toDtoForInsert(ScannerReport.Cve cve) {
-    long now = system2.now();
-    return toDto(cve, uuidFactory.create(), now, now);
-  }
-
-  private static CveDto toDto(ScannerReport.Cve cve, String uuid, Long createdAt, Long updatedAt) {
-    return new CveDto(
-      uuid,
-      cve.getCveId(),
-      cve.getDescription(),
-      cve.hasCvssScore() ? cve.getCvssScore() : null,
-      cve.hasEpssScore() ? cve.getEpssScore() : null,
-      cve.hasEpssPercentile() ? cve.getEpssPercentile() : null,
-      cve.hasPublishedDate() ? cve.getPublishedDate() : null,
-      cve.hasLastModifiedDate() ? cve.getLastModifiedDate() : null,
-      createdAt,
-      updatedAt);
-  }
-
-}
diff --git a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
index 2b03acf02aa..d5004afc420 100644
--- a/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
+++ b/server/sonar-ce-task-projectanalysis/src/main/java/org/sonar/ce/task/projectanalysis/step/ReportComputationSteps.java
@@ -114,7 +114,6 @@ public class ReportComputationSteps extends AbstractComputationSteps {
     PersistProjectMeasuresStep.class,
     PersistMeasuresStep.class,
     PersistAdHocRulesStep.class,
-    PersistCveStep.class,
     PersistIssuesStep.class,
     CleanIssueChangesStep.class,
     PersistProjectLinksStep.class,
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
index 7019e756d2a..d181d85263f 100644
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderImplTest.java
@@ -30,7 +30,6 @@ import org.sonar.api.impl.utils.JUnitTempFolder;
 import org.sonar.core.util.CloseableIterator;
 import org.sonar.scanner.protocol.output.FileStructure;
 import org.sonar.scanner.protocol.output.ScannerReport;
-import org.sonar.scanner.protocol.output.ScannerReport.Cve;
 import org.sonar.scanner.protocol.output.ScannerReportWriter;
 
 import static com.google.common.collect.ImmutableList.of;
@@ -301,28 +300,4 @@ public class BatchReportReaderImplTest {
     assertThat(res).toIterable().containsExactlyElementsOf(warnings);
     res.close();
   }
-
-  @Test
-  public void readCves_shouldReturnCves() {
-    Cve cve1 = builCve("1").build();
-    writer.appendCve(cve1);
-    Cve cve2 = builCve("2").build();
-    writer.appendCve(cve2);
-
-    CloseableIterator<Cve> cveCloseableIterator = underTest.readCves();
-
-    assertThat(cveCloseableIterator).toIterable().containsExactlyInAnyOrder(cve1, cve2);
-  }
-
-  private Cve.Builder builCve(String suffix) {
-    return Cve.newBuilder()
-      .setCveId("CVE-" + suffix)
-      .addCwe("CWE-" + suffix)
-      .setDescription("Some CVE description " + suffix)
-      .setCvssScore(7.5F)
-      .setEpssScore(0.1F)
-      .setEpssPercentile(0.1F)
-      .setLastModifiedDate(1L)
-      .setPublishedDate(2L);
-  }
 }
diff --git a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
index a87484dcffc..d57b4026eb7 100644
--- a/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
+++ b/server/sonar-ce-task-projectanalysis/src/test/java/org/sonar/ce/task/projectanalysis/batch/BatchReportReaderRule.java
@@ -62,7 +62,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
   private Map<Integer, ScannerReport.ChangedLines> changedLines = new HashMap<>();
   private List<ScannerReport.AnalysisWarning> analysisWarnings = Collections.emptyList();
   private byte[] analysisCache;
-  private List<ScannerReport.Cve> cves = new ArrayList<>();
   private List<ScannerReport.TelemetryEntry> telemetryEntries = new ArrayList<>();
   private List<ScannerReport.Dependency> dependencies = new ArrayList<>();
 
@@ -330,11 +329,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
     clear();
   }
 
-  @Override
-  public CloseableIterator<ScannerReport.Cve> readCves() {
-    return CloseableIterator.from(cves.iterator());
-  }
-
   @Override
   public CloseableIterator<ScannerReport.TelemetryEntry> readTelemetryEntries() {
     return CloseableIterator.from(telemetryEntries.iterator());
@@ -345,11 +339,6 @@ public class BatchReportReaderRule implements TestRule, BatchReportReader, After
     return this;
   }
 
-  public BatchReportReaderRule putCves(List<ScannerReport.Cve> cves) {
-    this.cves = cves;
-    return this;
-  }
-
   @Override
   public CloseableIterator<ScannerReport.Dependency> readDependencies() {
     return CloseableIterator.from(dependencies.iterator());
diff --git a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
index 6a904f15ee5..449c272c8df 100644
--- a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
+++ b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
@@ -44,7 +44,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
   private RuleType type;
   private String engineId;
   private String ruleId;
-  private String cveId;
   private Map<SoftwareQuality, org.sonar.api.issue.impact.Severity> impacts = new EnumMap<>(SoftwareQuality.class);
   private CleanCodeAttribute cleanCodeAttribute;
 
@@ -85,10 +84,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
     return ruleId;
   }
 
-  public String cveId() {
-    return cveId;
-  }
-
   @Override
   public Severity severity() {
     return this.severity;
@@ -136,11 +131,6 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
     return this;
   }
 
-  public NewExternalIssue cveId(String cveId) {
-    this.cveId = cveId;
-    return this;
-  }
-
   @Override
   public DefaultExternalIssue forRule(RuleKey ruleKey) {
     this.engineId = ruleKey.repository();
diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
index 47e5f8fe1d7..6de30db7829 100644
--- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
+++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
@@ -39,7 +39,6 @@ import org.sonar.api.batch.sensor.issue.Issue;
 import org.sonar.api.batch.sensor.issue.Issue.Flow;
 import org.sonar.api.batch.sensor.issue.MessageFormatting;
 import org.sonar.api.batch.sensor.issue.NewIssue.FlowType;
-import org.sonar.api.batch.sensor.issue.internal.DefaultExternalIssue;
 import org.sonar.api.batch.sensor.issue.internal.DefaultIssueFlow;
 import org.sonar.api.issue.impact.SoftwareQuality;
 import org.sonar.api.rules.CleanCodeAttribute;
@@ -184,10 +183,6 @@ public class IssuePublisher {
     TextRange primaryTextRange = issue.primaryLocation().textRange();
 
     // nullable fields
-    var cveId = ((DefaultExternalIssue) issue).cveId();
-    if (cveId != null) {
-      builder.setCveId(cveId);
-    }
     CleanCodeAttribute cleanCodeAttribute = issue.cleanCodeAttribute();
     if (cleanCodeAttribute != null) {
       builder.setCleanCodeAttribute(cleanCodeAttribute.name());
diff --git a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
index 584bf3dbfd7..21c1cd56c47 100644
--- a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
+++ b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
@@ -199,10 +199,6 @@ public class AnalysisResult implements AnalysisObserver {
     return readFromReport(ScannerReportReader::readAdHocRules);
   }
 
-  public List<ScannerReport.Cve> cves() {
-    return readFromReport(ScannerReportReader::readCves);
-  }
-
   public List<ScannerReport.Dependency> dependencies() {
     return readFromReport(ScannerReportReader::readDependencies);
   }
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
index 5c59f112838..aaf677d55fc 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/FileStructure.java
@@ -82,10 +82,6 @@ public class FileStructure {
     return new File(dir, "adhocrules.pb");
   }
 
-  public File cves() {
-    return new File(dir, "cves.pb");
-  }
-
   public File fileFor(Domain domain, int componentRef) {
     return new File(dir, domain.filePrefix + componentRef + domain.fileSuffix);
   }
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
index 6e48f5b7809..48fdb6b7983 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportReader.java
@@ -61,14 +61,6 @@ public class ScannerReportReader {
     return Protobuf.readStream(file, ScannerReport.AdHocRule.parser());
   }
 
-  public CloseableIterator<ScannerReport.Cve> readCves() {
-    File file = fileStructure.cves();
-    if (!fileExists(file)) {
-      return emptyCloseableIterator();
-    }
-    return Protobuf.readStream(file, ScannerReport.Cve.parser());
-  }
-
   public CloseableIterator<ScannerReport.Measure> readComponentMeasures(int componentRef) {
     File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
     if (fileExists(file)) {
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
index 1c202ab8605..424b9bebccf 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/output/ScannerReportWriter.java
@@ -97,11 +97,6 @@ public class ScannerReportWriter {
     appendDelimitedTo(file, adHocRule, "ad hoc rule");
   }
 
-  public void appendCve(ScannerReport.Cve cve) {
-    File file = fileStructure.cves();
-    appendDelimitedTo(file, cve, "cve");
-  }
-
   public void appendComponentMeasure(int componentRef, ScannerReport.Measure measure) {
     File file = fileStructure.fileFor(FileStructure.Domain.MEASURES, componentRef);
     appendDelimitedTo(file, measure, "measure");
diff --git a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
index 33928bb8fe2..e21a64a8bed 100644
--- a/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
+++ b/sonar-scanner-protocol/src/main/java/org/sonar/scanner/protocol/viewer/ScannerReportViewerApp.java
@@ -101,8 +101,6 @@ public class ScannerReportViewerApp {
   private JEditorPane activeRuleEditor;
   private JScrollPane adHocRuleTab;
   private JEditorPane adHocRuleEditor;
-  private JScrollPane cveTab;
-  private JEditorPane cveEditor;
   private JScrollPane qualityProfileTab;
   private JEditorPane qualityProfileEditor;
   private JScrollPane pluginTab;
@@ -201,7 +199,6 @@ public class ScannerReportViewerApp {
     loadComponents();
     updateActiveRules();
     updateAdHocRules();
-    updateCves();
     updateQualityProfiles();
     updatePlugins();
     updateMetadata();
@@ -405,18 +402,6 @@ public class ScannerReportViewerApp {
     }
   }
 
-  private void updateCves() {
-    cveEditor.setText("");
-
-    StringBuilder builder = new StringBuilder();
-    try (CloseableIterator<ScannerReport.Cve> cveCloseableIterator = reader.readCves()) {
-      while (cveCloseableIterator.hasNext()) {
-        builder.append(cveCloseableIterator.next().toString()).append("\n");
-      }
-      cveEditor.setText(builder.toString());
-    }
-  }
-
   private void updateQualityProfiles() {
     qualityProfileEditor.setText("");
 
@@ -609,12 +594,6 @@ public class ScannerReportViewerApp {
     adHocRuleEditor = new JEditorPane();
     adHocRuleTab.setViewportView(adHocRuleEditor);
 
-    cveTab = new JScrollPane();
-    tabbedPane.addTab("CVEs", null, cveTab, null);
-
-    cveEditor = new JEditorPane();
-    cveTab.setViewportView(cveEditor);
-
     qualityProfileTab = new JScrollPane();
     tabbedPane.addTab("Quality Profiles", null, qualityProfileTab, null);
 
diff --git a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
index c062c0ca161..74ff2bc0404 100644
--- a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
+++ b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
@@ -96,7 +96,7 @@ message ActiveRule {
   string rule_repository = 1;
   string rule_key = 2;
   Severity severity = 3;
-  map<string,string> params_by_key = 4;
+  map<string, string> params_by_key = 4;
   int64 createdAt = 5;
   int64 updatedAt = 6;
   string q_profile_key = 7;
@@ -143,8 +143,8 @@ message Component {
   enum ComponentType {
     UNSET = 0;
     PROJECT = 1;
-    MODULE = 2 [deprecated=true];
-    DIRECTORY = 3 [deprecated=true];
+    MODULE = 2 [deprecated = true];
+    DIRECTORY = 3 [deprecated = true];
     FILE = 4;
   }
 
@@ -221,31 +221,19 @@ message ExternalIssue {
   repeated MessageFormatting msgFormatting = 9;
   repeated Impact impacts = 10;
   optional string cleanCodeAttribute = 11;
-  optional string cve_id = 12;
 }
 
 message AdHocRule {
-    string engine_id = 1;
-    string rule_id = 2;
-    string name = 3;
-    string description = 4;
+  string engine_id = 1;
+  string rule_id = 2;
+  string name = 3;
+  string description = 4;
   optional Severity severity = 5;
   optional IssueType type = 6;
   optional string cleanCodeAttribute = 7;
   repeated Impact defaultImpacts = 8;
 }
 
-message Cve {
-  string cve_id = 1;
-  string description = 2;
-  optional double cvss_score = 3;
-  optional double epss_score = 4;
-  optional double epss_percentile = 5;
-  optional int64 published_date = 6;
-  optional int64 last_modified_date = 7;
-  repeated string cwe = 8;
-}
-
 enum IssueType {
   UNSET = 0;
   CODE_SMELL = 1;
diff --git a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
index 61d81401f16..9b72dab0c51 100644
--- a/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
+++ b/sonar-scanner-protocol/src/test/java/org/sonar/scanner/protocol/output/ScannerReportWriterTest.java
@@ -21,7 +21,6 @@ package org.sonar.scanner.protocol.output;
 
 import com.google.common.collect.Iterators;
 import java.io.File;
-import java.time.Instant;
 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -145,28 +144,6 @@ class ScannerReportWriterTest {
     }
   }
 
-  @Test
-  void write_cve() {
-    ScannerReport.Cve cve = ScannerReport.Cve.newBuilder()
-      .setCveId("CVE-2023-20863")
-      .setDescription("In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a" +
-        " specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.")
-      .setCvssScore(6.5f)
-      .setEpssScore(0.00306f)
-      .setEpssPercentile(0.70277f)
-      .setPublishedDate(Instant.parse("2023-04-13T20:15:00Z").toEpochMilli())
-      .setLastModifiedDate(Instant.parse("2024-02-04T02:22:24.474Z").toEpochMilli())
-      .addCwe("CWE-400")
-      .build();
-    underTest.appendCve(cve);
-
-    File file = underTest.getFileStructure().cves();
-    assertThat(file).exists().isFile();
-    try (CloseableIterator<ScannerReport.Cve> read = Protobuf.readStream(file, ScannerReport.Cve.parser())) {
-      assertThat(Iterators.size(read)).isOne();
-    }
-  }
-
   @Test
   void write_changed_lines() {
     assertThat(underTest.hasComponentData(FileStructure.Domain.CHANGED_LINES, 1)).isFalse();
@@ -374,8 +351,8 @@ class ScannerReportWriterTest {
 
     underTest.writeTelemetry(input);
 
-    try (CloseableIterator<ScannerReport.TelemetryEntry> telemetryIterator =
-           Protobuf.readStream(underTest.getFileStructure().telemetryEntries(), ScannerReport.TelemetryEntry.parser())) {
+    try (CloseableIterator<ScannerReport.TelemetryEntry> telemetryIterator = Protobuf.readStream(underTest.getFileStructure().telemetryEntries(),
+      ScannerReport.TelemetryEntry.parser())) {
 
       assertThat(telemetryIterator).toIterable()
         .containsExactlyElementsOf(input)
-- 
2.39.5