SONAR-12966 Allow usage of new Security Review measures in Quality Gate

- filter out 'security_hotspots', 'new_security_hotspots'
- allow 'security_review_rating'

server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/QualityGateConditionsUpdater.java

@@ -47,18 +47,20 @@ import static java.lang.String.format;
 import static java.util.Arrays.stream;
 import static java.util.Objects.requireNonNull;
 import static org.sonar.api.measures.CoreMetrics.ALERT_STATUS_KEY;
-import static org.sonar.api.measures.CoreMetrics.SECURITY_REVIEW_RATING_KEY;
+import static org.sonar.api.measures.CoreMetrics.NEW_SECURITY_HOTSPOTS_KEY;
+import static org.sonar.api.measures.CoreMetrics.SECURITY_HOTSPOTS_KEY;
 import static org.sonar.api.measures.Metric.DIRECTION_BETTER;
 import static org.sonar.api.measures.Metric.DIRECTION_NONE;
 import static org.sonar.api.measures.Metric.DIRECTION_WORST;
 import static org.sonar.api.measures.Metric.ValueType.RATING;
+import static org.sonar.server.exceptions.BadRequestException.checkRequest;
 import static org.sonar.server.measure.Rating.E;
 import static org.sonar.server.qualitygate.Condition.Operator.GREATER_THAN;
 import static org.sonar.server.qualitygate.Condition.Operator.LESS_THAN;
 import static org.sonar.server.qualitygate.ValidRatingMetrics.isCoreRatingMetric;
-import static org.sonar.server.exceptions.BadRequestException.checkRequest;
 
 public class QualityGateConditionsUpdater {
+  public static final Set<String> INVALID_METRIC_KEYS = ImmutableSet.of(ALERT_STATUS_KEY, SECURITY_HOTSPOTS_KEY, NEW_SECURITY_HOTSPOTS_KEY);
 
   private static final Map<Integer, ImmutableSet<Condition.Operator>> VALID_OPERATORS_BY_DIRECTION = ImmutableMap.<Integer, ImmutableSet<Condition.Operator>>builder()
     .put(DIRECTION_NONE, ImmutableSet.of(GREATER_THAN, LESS_THAN))
@@ -77,8 +79,6 @@ public class QualityGateConditionsUpdater {
 
   private static final List<String> RATING_VALID_INT_VALUES = stream(Rating.values()).map(r -> Integer.toString(r.getIndex())).collect(Collectors.toList());
 
-  private static final Set<String> INVALID_METRIC_KEYS = ImmutableSet.of(ALERT_STATUS_KEY, SECURITY_REVIEW_RATING_KEY);
-
   private final DbClient dbClient;
 
   public QualityGateConditionsUpdater(DbClient dbClient) {

server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/ws/QualityGatesWs.java

@@ -29,12 +29,12 @@ import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.qualitygate.Condition;
 import org.sonar.server.ws.RemovedWebServiceHandler;
 
+import static org.sonar.server.qualitygate.QualityGateConditionsUpdater.INVALID_METRIC_KEYS;
 import static org.sonar.server.qualitygate.ws.QualityGatesWsParameters.CONTROLLER_QUALITY_GATES;
 import static org.sonar.server.qualitygate.ws.QualityGatesWsParameters.PARAM_ERROR;
 import static org.sonar.server.qualitygate.ws.QualityGatesWsParameters.PARAM_METRIC;
 import static org.sonar.server.qualitygate.ws.QualityGatesWsParameters.PARAM_OPERATOR;
 
-
 public class QualityGatesWs implements WebService {
 
   private static final int CONDITION_MAX_LENGTH = 64;
@@ -63,8 +63,7 @@ public class QualityGatesWs implements WebService {
       .setHandler(RemovedWebServiceHandler.INSTANCE)
       .setResponseExample(RemovedWebServiceHandler.INSTANCE.getResponseExample())
       .setChangelog(
-        new Change("7.0", "Unset a quality gate is no more authorized")
-      );
+        new Change("7.0", "Unset a quality gate is no more authorized"));
 
     controller.done();
   }
@@ -81,17 +80,17 @@ public class QualityGatesWs implements WebService {
         "<li>WORK_DUR</li>" +
         "<li>FLOAT</li>" +
         "<li>PERCENT</li>" +
-        "<li>LEVEL</li>" +
-        "")
+        "<li>LEVEL</li></ul>" +
+        "Following metrics are forbidden:" +
+        "<ul>" + getInvalidMetrics() + "</ul>")
       .setRequired(true)
-      .setExampleValue("blocker_violations");
+      .setExampleValue("blocker_violations, vulnerabilities, new_code_smells");
 
     action.createParam(PARAM_OPERATOR)
       .setDescription("Condition operator:<br/>" +
         "<ul>" +
         "<li>LT = is lower than</li>" +
-        "<li>GT = is greater than</li>" +
-        "</ui>")
+        "<li>GT = is greater than</li></ul>")
       .setExampleValue(Condition.Operator.GREATER_THAN.getDbValue())
       .setPossibleValues(getPossibleOperators());
 
@@ -102,6 +101,11 @@ public class QualityGatesWs implements WebService {
       .setExampleValue("10");
   }
 
+  private static String getInvalidMetrics() {
+    return INVALID_METRIC_KEYS.stream().map(s -> "<li>" + s + "</li>")
+      .collect(Collectors.joining());
+  }
+
   static Long parseId(Request request, String paramName) {
     try {
       return Long.valueOf(request.mandatoryParam(paramName));

server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualitygate/QualityGateConditionsUpdaterTest.java

@@ -38,7 +38,8 @@ import org.sonar.server.exceptions.NotFoundException;
 import static java.lang.String.format;
 import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
 import static org.sonar.api.measures.CoreMetrics.ALERT_STATUS_KEY;
-import static org.sonar.api.measures.CoreMetrics.SECURITY_REVIEW_RATING_KEY;
+import static org.sonar.api.measures.CoreMetrics.NEW_SECURITY_HOTSPOTS_KEY;
+import static org.sonar.api.measures.CoreMetrics.SECURITY_HOTSPOTS_KEY;
 import static org.sonar.api.measures.CoreMetrics.SQALE_RATING_KEY;
 import static org.sonar.api.measures.Metric.ValueType.BOOL;
 import static org.sonar.api.measures.Metric.ValueType.DATA;
@@ -316,7 +317,8 @@ public class QualityGateConditionsUpdaterTest {
   public static Object[][] invalid_metrics() {
     return new Object[][] {
       {ALERT_STATUS_KEY, INT, false},
-      {SECURITY_REVIEW_RATING_KEY, RATING, false},
+      {SECURITY_HOTSPOTS_KEY, INT, false},
+      {NEW_SECURITY_HOTSPOTS_KEY, INT, false},
       {"boolean", BOOL, false},
       {"string", STRING, false},
       {"data_metric", DATA, false},