diff options
| author | Havoc Pennington <hp@pobox.com> | 2025-03-11 16:50:25 -0400 |
|---|---|---|
| committer | sonartech <sonartech@sonarsource.com> | 2025-03-12 20:03:12 +0000 |
| commit | 6807296461cdc88a01660fe5f7ce4c3b2fd35517 (patch) | |
| tree | 870f2a533249173dcc1f99ef1a780d03fca46d37 | |
| parent | e0d606a3864d90e1b66d01a1e49555b83ea0357e (diff) | |
| download | sonarqube-6807296461cdc88a01660fe5f7ce4c3b2fd35517.tar.gz sonarqube-6807296461cdc88a01660fe5f7ce4c3b2fd35517.zip | |
SCA-109 add version to IssueReleaseDetails and pass purl_in_use to vulnerability details cloud API
5 files changed, 67 insertions, 37 deletions
diff --git a/server/sonar-db-dao/src/it/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDaoIT.java b/server/sonar-db-dao/src/it/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDaoIT.java index cfd4604660b..1ef369a11c2 100644 --- a/server/sonar-db-dao/src/it/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDaoIT.java +++ b/server/sonar-db-dao/src/it/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDaoIT.java @@ -69,6 +69,8 @@ class ScaIssuesReleasesDetailsDaoIT { issue1.scaReleaseUuid(), ScaIssueType.VULNERABILITY, false, + issue1.version(), + issue1.releasePackageUrl(), "fakePackageUrl1", "fakeVulnerabilityId1", ScaIssueDto.NULL_VALUE, @@ -83,6 +85,8 @@ class ScaIssuesReleasesDetailsDaoIT { issue2.scaReleaseUuid(), ScaIssueType.PROHIBITED_LICENSE, false, + issue2.version(), + issue2.releasePackageUrl(), ScaIssueDto.NULL_VALUE, ScaIssueDto.NULL_VALUE, "0BSD", @@ -475,6 +479,39 @@ class ScaIssuesReleasesDetailsDaoIT { List.of(issue1, issue2, issue3, issue4, issue5, issue6)); } + @Test + void selectByScaIssueReleaseUuid_shouldReturnAnIssue() { + var projectData = db.components().insertPrivateProject(); + var componentDto = projectData.getMainBranchComponent(); + var issue1 = db.getScaIssuesReleasesDetailsDbTester().insertIssue(ScaIssueType.VULNERABILITY, "1", componentDto.uuid()); + + // insert another issue to assert that it's not selected + db.getScaIssuesReleasesDetailsDbTester().insertIssue(ScaIssueType.PROHIBITED_LICENSE, "2", componentDto.uuid()); + + ScaIssueReleaseDetailsDto expected = new ScaIssueReleaseDetailsDto( + issue1.scaIssueReleaseUuid(), + issue1.severity(), + issue1.scaIssueUuid(), + issue1.scaReleaseUuid(), + ScaIssueType.VULNERABILITY, + false, + issue1.version(), + issue1.releasePackageUrl(), + "fakePackageUrl1", + "fakeVulnerabilityId1", + ScaIssueDto.NULL_VALUE, + ScaSeverity.INFO, + List.of("cwe1"), + new BigDecimal("7.1"), + issue1.createdAt()); + + var foundIssue = scaIssuesReleasesDetailsDao.selectByScaIssueReleaseUuid(db.getSession(), issue1.scaIssueReleaseUuid()); + assertThat(foundIssue).isEqualTo(expected); + + var notFoundIssue = scaIssuesReleasesDetailsDao.selectByScaIssueReleaseUuid(db.getSession(), "00000"); + assertThat(notFoundIssue).isNull(); + } + private record QueryTestData(ProjectData projectData, ComponentDto componentDto, List<ScaIssueReleaseDetailsDto> expectedIssues) { @@ -545,35 +582,4 @@ class ScaIssuesReleasesDetailsDaoIT { }; } } - - @Test - void selectByScaIssueReleaseUuid_shouldReturnAnIssue() { - var projectData = db.components().insertPrivateProject(); - var componentDto = projectData.getMainBranchComponent(); - var issue1 = db.getScaIssuesReleasesDetailsDbTester().insertIssue(ScaIssueType.VULNERABILITY, "1", componentDto.uuid()); - - // insert another issue to assert that it's not selected - db.getScaIssuesReleasesDetailsDbTester().insertIssue(ScaIssueType.PROHIBITED_LICENSE, "2", componentDto.uuid()); - - ScaIssueReleaseDetailsDto expected = new ScaIssueReleaseDetailsDto( - issue1.scaIssueReleaseUuid(), - issue1.severity(), - issue1.scaIssueUuid(), - issue1.scaReleaseUuid(), - ScaIssueType.VULNERABILITY, - false, - "fakePackageUrl1", - "fakeVulnerabilityId1", - ScaIssueDto.NULL_VALUE, - ScaSeverity.INFO, - List.of("cwe1"), - new BigDecimal("7.1"), - 1L); - - var foundIssue = scaIssuesReleasesDetailsDao.selectByScaIssueReleaseUuid(db.getSession(), issue1.scaIssueReleaseUuid()); - assertThat(foundIssue).isEqualTo(expected); - - var notFoundIssue = scaIssuesReleasesDetailsDao.selectByScaIssueReleaseUuid(db.getSession(), "00000"); - assertThat(notFoundIssue).isNull(); - } } diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/sca/ScaIssueReleaseDetailsDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/sca/ScaIssueReleaseDetailsDto.java index 827ceddf64f..f2da4c66042 100644 --- a/server/sonar-db-dao/src/main/java/org/sonar/db/sca/ScaIssueReleaseDetailsDto.java +++ b/server/sonar-db-dao/src/main/java/org/sonar/db/sca/ScaIssueReleaseDetailsDto.java @@ -34,7 +34,7 @@ import org.sonar.api.utils.DateUtils; * The packageUrl parameter in particular is tricky; it's the identity packageUrl from ScaIssueDto, * and can be set to {@link ScaIssueDto#NULL_VALUE} if the issue is not a vulnerability. What you * likely want in many cases instead would be the package URLs from the individual releases, - * those are the affected release URLs. + * that is the releasePackageUrl parameter and is not null. * </p> * <p> * Similarly, vulnerabilityId and spdxLicenseId can have {@link ScaIssueDto#NULL_VALUE} if they @@ -47,6 +47,8 @@ public record ScaIssueReleaseDetailsDto(String scaIssueReleaseUuid, String scaReleaseUuid, ScaIssueType scaIssueType, boolean newInPullRequest, + String version, + String releasePackageUrl, String packageUrl, String vulnerabilityId, String spdxLicenseId, @@ -69,6 +71,8 @@ public record ScaIssueReleaseDetailsDto(String scaIssueReleaseUuid, .setScaReleaseUuid(scaReleaseUuid) .setScaIssueType(scaIssueType) .setNewInPullRequest(newInPullRequest) + .setVersion(version) + .setReleasePackageUrl(releasePackageUrl) .setPackageUrl(packageUrl) .setVulnerabilityId(vulnerabilityId) .setSpdxLicenseId(spdxLicenseId) @@ -85,6 +89,8 @@ public record ScaIssueReleaseDetailsDto(String scaIssueReleaseUuid, private String scaReleaseUuid; private ScaIssueType scaIssueType; private boolean newInPullRequest; + private String version; + private String releasePackageUrl; private String packageUrl; private String vulnerabilityId; private String spdxLicenseId; @@ -123,6 +129,16 @@ public record ScaIssueReleaseDetailsDto(String scaIssueReleaseUuid, return this; } + public Builder setVersion(String version) { + this.version = version; + return this; + } + + public Builder setReleasePackageUrl(String releasePackageUrl) { + this.releasePackageUrl = releasePackageUrl; + return this; + } + public Builder setPackageUrl(String packageUrl) { this.packageUrl = packageUrl; return this; @@ -160,7 +176,8 @@ public record ScaIssueReleaseDetailsDto(String scaIssueReleaseUuid, public ScaIssueReleaseDetailsDto build() { return new ScaIssueReleaseDetailsDto(scaIssueReleaseUuid, severity, scaIssueUuid, scaReleaseUuid, scaIssueType, - newInPullRequest, packageUrl, vulnerabilityId, spdxLicenseId, vulnerabilityBaseSeverity, cweIds, cvssScore, createdAt); + newInPullRequest, version, releasePackageUrl, packageUrl, vulnerabilityId, spdxLicenseId, + vulnerabilityBaseSeverity, cweIds, cvssScore, createdAt); } } } diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/sca/ScaIssuesReleasesDetailsMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/sca/ScaIssuesReleasesDetailsMapper.xml index 4c3189af393..ba6f5e5f675 100644 --- a/server/sonar-db-dao/src/main/resources/org/sonar/db/sca/ScaIssuesReleasesDetailsMapper.xml +++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/sca/ScaIssuesReleasesDetailsMapper.xml @@ -11,6 +11,8 @@ <arg column="sca_release_uuid" javaType="String"/> <arg column="sca_issue_type" javaType="org.sonar.db.sca.ScaIssueType" jdbcType="VARCHAR"/> <arg column="new_in_pull_request" javaType="_boolean"/> + <arg column="version" javaType="String"/> + <arg column="release_package_url" javaType="String"/> <arg column="package_url" javaType="String"/> <arg column="vulnerability_id" javaType="String"/> <arg column="spdx_license_id" javaType="String"/> @@ -31,6 +33,8 @@ sir.sca_release_uuid, si.sca_issue_type, sr.new_in_pull_request, + sr.version, + sr.package_url as release_package_url, si.package_url, si.vulnerability_id, si.spdx_license_id, diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueReleaseDetailsDtoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueReleaseDetailsDtoTest.java index de7a64448a1..63a94e8c520 100644 --- a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueReleaseDetailsDtoTest.java +++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueReleaseDetailsDtoTest.java @@ -34,6 +34,8 @@ class ScaIssueReleaseDetailsDtoTest { "scaReleaseUuid", ScaIssueType.VULNERABILITY, true, + "1.2.3", + "releasePackageUrl", "packageUrl", "vulnerabilityId", "spdxLicenseId", diff --git a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDbTester.java b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDbTester.java index 7c29799376e..02a5fa10e66 100644 --- a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDbTester.java +++ b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/sca/ScaIssuesReleasesDetailsDbTester.java @@ -34,11 +34,12 @@ public class ScaIssuesReleasesDetailsDbTester { } public static ScaIssueReleaseDetailsDto fromDtos(ScaIssueReleaseDto scaIssueReleaseDto, ScaIssueDto scaIssueDto, - Optional<ScaVulnerabilityIssueDto> scaVulnerabilityIssueDtoOptional, boolean newInPullRequest) { + Optional<ScaVulnerabilityIssueDto> scaVulnerabilityIssueDtoOptional, ScaReleaseDto releaseDto) { // this should emulate what the mapper does when joining these tables return new ScaIssueReleaseDetailsDto(scaIssueReleaseDto.uuid(), scaIssueReleaseDto.severity(), scaIssueReleaseDto.scaIssueUuid(), scaIssueReleaseDto.scaReleaseUuid(), scaIssueDto.scaIssueType(), - newInPullRequest, scaIssueDto.packageUrl(), scaIssueDto.vulnerabilityId(), scaIssueDto.spdxLicenseId(), + releaseDto.newInPullRequest(), releaseDto.version(), releaseDto.packageUrl(), + scaIssueDto.packageUrl(), scaIssueDto.vulnerabilityId(), scaIssueDto.spdxLicenseId(), scaVulnerabilityIssueDtoOptional.map(ScaVulnerabilityIssueDto::baseSeverity).orElse(null), scaVulnerabilityIssueDtoOptional.map(ScaVulnerabilityIssueDto::cweIds).orElse(null), scaVulnerabilityIssueDtoOptional.map(ScaVulnerabilityIssueDto::cvssScore).orElse(null), @@ -51,7 +52,7 @@ public class ScaIssuesReleasesDetailsDbTester { var scaRelease = db.getScaReleasesDbTester().insertScaRelease(componentUuid, suffix); var scaIssueRelease = new ScaIssueReleaseDto("sca-issue-release-uuid-" + suffix, scaIssue, scaRelease, ScaSeverity.INFO, 1L, 2L); dbClient.scaIssuesReleasesDao().insert(db.getSession(), scaIssueRelease); - return fromDtos(scaIssueRelease, scaIssue, scaVulnerabilityIssueDtoOptional, scaRelease.newInPullRequest()); + return fromDtos(scaIssueRelease, scaIssue, scaVulnerabilityIssueDtoOptional, scaRelease); } public ScaIssueReleaseDetailsDto insertVulnerabilityIssue(String suffix, String componentUuid) { @@ -103,6 +104,6 @@ public class ScaIssuesReleasesDetailsDbTester { scaIssueRelease = scaIssueReleaseModifier.apply(scaIssueRelease); } dbClient.scaIssuesReleasesDao().insert(db.getSession(), scaIssueRelease); - return fromDtos(scaIssueRelease, scaIssue, Optional.ofNullable(scaVulnerabilityIssue), scaRelease.newInPullRequest()); + return fromDtos(scaIssueRelease, scaIssue, Optional.ofNullable(scaVulnerabilityIssue), scaRelease); } } |