SONAR-22914 Add CVEs DB migration and DAOs

16 files changed, 426 insertions, 6 deletions

diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/DaoModule.java b/server/sonar-db-dao/src/main/java/org/sonar/db/DaoModule.java
index fb0ac071f4b..f11922bff2a 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/DaoModule.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/DaoModule.java
@@ -38,6 +38,9 @@ import org.sonar.db.component.ComponentDao;
 import org.sonar.db.component.ComponentKeyUpdaterDao;
 import org.sonar.db.component.ProjectLinkDao;
 import org.sonar.db.component.SnapshotDao;
+import org.sonar.db.dependency.CveCweDao;
+import org.sonar.db.dependency.CveDao;
+import org.sonar.db.dependency.IssuesDependencyDao;
 import org.sonar.db.duplication.DuplicationDao;
 import org.sonar.db.entity.EntityDao;
 import org.sonar.db.es.EsQueueDao;
@@ -65,8 +68,8 @@ import org.sonar.db.project.ProjectExportDao;
 import org.sonar.db.property.InternalComponentPropertiesDao;
 import org.sonar.db.property.InternalPropertiesDao;
 import org.sonar.db.property.PropertiesDao;
-import org.sonar.db.provisioning.GithubOrganizationGroupDao;
 import org.sonar.db.provisioning.DevOpsPermissionsMappingDao;
+import org.sonar.db.provisioning.GithubOrganizationGroupDao;
 import org.sonar.db.purge.PurgeDao;
 import org.sonar.db.pushevent.PushEventDao;
 import org.sonar.db.qualitygate.ProjectQgateAssociationDao;
@@ -126,6 +129,8 @@ public class DaoModule extends Module {
     CeTaskMessageDao.class,
     ComponentDao.class,
     ComponentKeyUpdaterDao.class,
+    CveDao.class,
+    CveCweDao.class,
     DefaultQProfileDao.class,
     DevOpsPermissionsMappingDao.class,
     DuplicationDao.class,
@@ -147,6 +152,7 @@ public class DaoModule extends Module {
     IssueChangeDao.class,
     IssueDao.class,
     IssueFixedDao.class,
+    IssuesDependencyDao.class,
     LiveMeasureDao.class,
     ProjectMeasureDao.class,
     MetricDao.class,
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/DbClient.java b/server/sonar-db-dao/src/main/java/org/sonar/db/DbClient.java
index 598d3663e1c..d04aff1df52 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/DbClient.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/DbClient.java
@@ -38,6 +38,9 @@ import org.sonar.db.component.ComponentDao;
 import org.sonar.db.component.ComponentKeyUpdaterDao;
 import org.sonar.db.component.ProjectLinkDao;
 import org.sonar.db.component.SnapshotDao;
+import org.sonar.db.dependency.CveCweDao;
+import org.sonar.db.dependency.CveDao;
+import org.sonar.db.dependency.IssuesDependencyDao;
 import org.sonar.db.duplication.DuplicationDao;
 import org.sonar.db.entity.EntityDao;
 import org.sonar.db.es.EsQueueDao;
@@ -65,8 +68,8 @@ import org.sonar.db.project.ProjectExportDao;
 import org.sonar.db.property.InternalComponentPropertiesDao;
 import org.sonar.db.property.InternalPropertiesDao;
 import org.sonar.db.property.PropertiesDao;
-import org.sonar.db.provisioning.GithubOrganizationGroupDao;
 import org.sonar.db.provisioning.DevOpsPermissionsMappingDao;
+import org.sonar.db.provisioning.GithubOrganizationGroupDao;
 import org.sonar.db.purge.PurgeDao;
 import org.sonar.db.pushevent.PushEventDao;
 import org.sonar.db.qualitygate.ProjectQgateAssociationDao;
@@ -188,7 +191,6 @@ public class DbClient {
   private final ScimGroupDao scimGroupDao;
   private final EntityDao entityDao;
   private final AnticipatedTransitionDao anticipatedTransitionDao;
-
   private final ReportScheduleDao reportScheduleDao;
   private final ReportSubscriptionDao reportSubscriptionDao;
   private final GithubOrganizationGroupDao githubOrganizationGroupDao;
@@ -197,6 +199,9 @@ public class DbClient {
   private final ProjectExportDao projectExportDao;
   private final IssueFixedDao issueFixedDao;
   private final TelemetryMetricsSentDao telemetryMetricsSentDao;
+  private final CveDao cveDao;
+  private final CveCweDao cveCweDao;
+  private final IssuesDependencyDao issuesDependencyDao;
 
   public DbClient(Database database, MyBatis myBatis, DBSessions dbSessions, Dao... daos) {
     this.database = database;
@@ -291,6 +296,9 @@ public class DbClient {
     projectExportDao = getDao(map, ProjectExportDao.class);
     issueFixedDao = getDao(map, IssueFixedDao.class);
     telemetryMetricsSentDao = getDao(map, TelemetryMetricsSentDao.class);
+    cveDao = getDao(map, CveDao.class);
+    cveCweDao = getDao(map, CveCweDao.class);
+    issuesDependencyDao = getDao(map, IssuesDependencyDao.class);
   }
 
   public DbSession openSession(boolean batch) {
@@ -646,4 +654,16 @@ public class DbClient {
   public ProjectExportDao projectExportDao() {
     return projectExportDao;
   }
+
+  public CveDao cveDao() {
+    return cveDao;
+  }
+
+  public CveCweDao cveCweDao() {
+    return cveCweDao;
+  }
+
+  public IssuesDependencyDao issuesDependencyDao() {
+    return issuesDependencyDao;
+  }
 }
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatis.java b/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatis.java
index 543c465f450..4191942d8d0 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatis.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatis.java
@@ -63,6 +63,12 @@ import org.sonar.db.component.SnapshotDto;
 import org.sonar.db.component.SnapshotMapper;
 import org.sonar.db.component.UuidWithBranchUuidDto;
 import org.sonar.db.component.ViewsSnapshotDto;
+import org.sonar.db.dependency.CveCweDto;
+import org.sonar.db.dependency.CveCweMapper;
+import org.sonar.db.dependency.CveDto;
+import org.sonar.db.dependency.CveMapper;
+import org.sonar.db.dependency.IssuesDependencyDto;
+import org.sonar.db.dependency.IssuesDependencyMapper;
 import org.sonar.db.duplication.DuplicationMapper;
 import org.sonar.db.duplication.DuplicationUnitDto;
 import org.sonar.db.entity.EntityDto;
@@ -83,9 +89,9 @@ import org.sonar.db.issue.NewCodeReferenceIssueDto;
 import org.sonar.db.issue.PrIssueDto;
 import org.sonar.db.measure.LargestBranchNclocDto;
 import org.sonar.db.measure.LiveMeasureMapper;
+import org.sonar.db.measure.ProjectLocDistributionDto;
 import org.sonar.db.measure.ProjectMeasureDto;
 import org.sonar.db.measure.ProjectMeasureMapper;
-import org.sonar.db.measure.ProjectLocDistributionDto;
 import org.sonar.db.metric.MetricMapper;
 import org.sonar.db.newcodeperiod.NewCodePeriodMapper;
 import org.sonar.db.notification.NotificationQueueDto;
@@ -119,10 +125,10 @@ import org.sonar.db.property.InternalPropertiesMapper;
 import org.sonar.db.property.InternalPropertyDto;
 import org.sonar.db.property.PropertiesMapper;
 import org.sonar.db.property.ScrapPropertyDto;
-import org.sonar.db.provisioning.GithubOrganizationGroupDto;
-import org.sonar.db.provisioning.GithubOrganizationGroupMapper;
 import org.sonar.db.provisioning.DevOpsPermissionsMappingDto;
 import org.sonar.db.provisioning.DevOpsPermissionsMappingMapper;
+import org.sonar.db.provisioning.GithubOrganizationGroupDto;
+import org.sonar.db.provisioning.GithubOrganizationGroupMapper;
 import org.sonar.db.purge.PurgeMapper;
 import org.sonar.db.purge.PurgeableAnalysisDto;
 import org.sonar.db.pushevent.PushEventDto;
@@ -208,6 +214,8 @@ public class MyBatis {
     confBuilder.loadAlias("AnticipatedTransition", AnticipatedTransitionDto.class);
     confBuilder.loadAlias("CeTaskCharacteristic", CeTaskCharacteristicDto.class);
     confBuilder.loadAlias("Component", ComponentDto.class);
+    confBuilder.loadAlias("Cve", CveDto.class);
+    confBuilder.loadAlias("CveCwe", CveCweDto.class);
     confBuilder.loadAlias("DevOpsPermissionsMapping", DevOpsPermissionsMappingDto.class);
     confBuilder.loadAlias("DuplicationUnit", DuplicationUnitDto.class);
     confBuilder.loadAlias("Entity", EntityDto.class);
@@ -225,6 +233,7 @@ public class MyBatis {
     confBuilder.loadAlias("KeyLongValue", KeyLongValue.class);
     confBuilder.loadAlias("Impact", ImpactDto.class);
     confBuilder.loadAlias("Issue", IssueDto.class);
+    confBuilder.loadAlias("IssueDependency", IssuesDependencyDto.class);
     confBuilder.loadAlias("NewCodeReferenceIssue", NewCodeReferenceIssueDto.class);
     confBuilder.loadAlias("ProjectMeasure", ProjectMeasureDto.class);
     confBuilder.loadAlias("LargestBranchNclocDto", LargestBranchNclocDto.class);
@@ -284,6 +293,8 @@ public class MyBatis {
       CeTaskMessageMapper.class,
       ComponentKeyUpdaterMapper.class,
       ComponentMapper.class,
+      CveMapper.class,
+      CveCweMapper.class,
       LiveMeasureMapper.class,
       DefaultQProfileMapper.class,
       DuplicationMapper.class,
@@ -304,6 +315,7 @@ public class MyBatis {
       IssueChangeMapper.class,
       IssueMapper.class,
       IssueFixedMapper.class,
+      IssuesDependencyMapper.class,
       ProjectMeasureMapper.class,
       MetricMapper.class,
       NewCodePeriodMapper.class,
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDao.java
new file mode 100644
index 00000000000..c974ae08e9f
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDao.java
@@ -0,0 +1,39 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+import java.util.Set;
+import org.sonar.db.Dao;
+import org.sonar.db.DbSession;
+
+public class CveCweDao implements Dao {
+
+  public void insert(DbSession session, CveCweDto cveCweDto) {
+    mapper(session).insert(cveCweDto);
+  }
+
+  private static CveCweMapper mapper(DbSession session) {
+    return session.getMapper(CveCweMapper.class);
+  }
+
+  public Set<String> selectByCveUuid(DbSession dbSession, String cveUuid) {
+    return mapper(dbSession).selectByCveUuid(cveUuid);
+  }
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDto.java
new file mode 100644
index 00000000000..00ab0897606
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweDto.java
@@ -0,0 +1,23 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+public record CveCweDto(String cveUuid, String cwe) {
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweMapper.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweMapper.java
new file mode 100644
index 00000000000..612eb7ba67f
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveCweMapper.java
@@ -0,0 +1,28 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+import java.util.Set;
+
+public interface CveCweMapper {
+  void insert(CveCweDto cveCweDto);
+
+  Set<String> selectByCveUuid(String cveUuid);
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDao.java
new file mode 100644
index 00000000000..640ed6eb173
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDao.java
@@ -0,0 +1,39 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+import java.util.Optional;
+import org.sonar.db.Dao;
+import org.sonar.db.DbSession;
+
+public class CveDao implements Dao {
+
+  public void insert(DbSession dbSession, CveDto cveDto) {
+    mapper(dbSession).insert(cveDto);
+  }
+
+  public Optional<CveDto> selectById(DbSession dbSession, String id) {
+    return Optional.ofNullable(mapper(dbSession).selectById(id));
+  }
+
+  private static CveMapper mapper(DbSession dbSession) {
+    return dbSession.getMapper(CveMapper.class);
+  }
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDto.java
new file mode 100644
index 00000000000..53278c024c4
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveDto.java
@@ -0,0 +1,35 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+public record CveDto(
+  String uuid,
+  String id,
+  String description,
+  double cvssScore,
+  double epssScore,
+  double epssPercentile,
+  Long publishedAt,
+  Long lastModifiedAt,
+  Long createdAt,
+  Long updatedAt
+) {
+
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveMapper.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveMapper.java
new file mode 100644
index 00000000000..1cf344709ce
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/CveMapper.java
@@ -0,0 +1,26 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+public interface CveMapper {
+  void insert(CveDto cveDto);
+
+  CveDto selectById(String id);
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDao.java
new file mode 100644
index 00000000000..7fd6d79bf76
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDao.java
@@ -0,0 +1,34 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+import org.sonar.db.Dao;
+import org.sonar.db.DbSession;
+
+public class IssuesDependencyDao implements Dao {
+
+  public void insert(DbSession session, IssuesDependencyDto issuesDependencyDto) {
+    mapper(session).insert(issuesDependencyDto);
+  }
+
+  private static IssuesDependencyMapper mapper(DbSession session) {
+    return session.getMapper(IssuesDependencyMapper.class);
+  }
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDto.java
new file mode 100644
index 00000000000..5c43f55f4e9
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyDto.java
@@ -0,0 +1,23 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+public record IssuesDependencyDto(String issueUuid, String cveUuid) {
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyMapper.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyMapper.java
new file mode 100644
index 00000000000..1a14f05eec5
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/IssuesDependencyMapper.java
@@ -0,0 +1,24 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.dependency;
+
+public interface IssuesDependencyMapper {
+  void insert(IssuesDependencyDto issuesDependencyDto);
+}
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/package-info.java b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/package-info.java
new file mode 100644
index 00000000000..d9066c96c2f
--- /dev/null
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/dependency/package-info.java
@@ -0,0 +1,23 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+@ParametersAreNonnullByDefault
+package org.sonar.db.dependency;
+
+import javax.annotation.ParametersAreNonnullByDefault;
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveCweMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveCweMapper.xml
new file mode 100644
index 00000000000..5002efd6e28
--- /dev/null
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveCweMapper.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "mybatis-3-mapper.dtd">
+<mapper namespace="org.sonar.db.dependency.CveCweMapper">
+
+   <insert id="insert" parameterType="org.sonar.db.dependency.CveCweDto" useGeneratedKeys="false">
+    insert into cve_cwe (
+      cve_uuid,
+      cwe
+    ) values (
+      #{cveUuid, jdbcType=VARCHAR},
+      #{cwe, jdbcType=VARCHAR}
+    )
+   </insert>
+
+  <select id="selectByCveUuid" parameterType="string" resultType="string">
+    select cwe
+    from cve_cwe
+    where cve_uuid = #{cveUuid,jdbcType=VARCHAR}
+  </select>
+
+</mapper>
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveMapper.xml
new file mode 100644
index 00000000000..22833f96b4f
--- /dev/null
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/CveMapper.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "mybatis-3-mapper.dtd">
+<mapper namespace="org.sonar.db.dependency.CveMapper">
+
+    <sql id="cveColumns">
+      c.uuid as uuid,
+      c.id as id,
+      c.description as description,
+      c.cvss_score as cvssScore,
+      c.epss_score as epssScore,
+      c.epss_percentile as epssPercentile,
+      c.published_at as publishedAt,
+      c.last_modified_at as lastModifiedAt,
+      c.created_at as createdAt,
+      c.updated_at as updatedAt
+    </sql>
+
+   <insert id="insert" parameterType="org.sonar.db.dependency.CveDto" useGeneratedKeys="false">
+    insert into cves (
+      uuid,
+      id,
+      description,
+      cvss_score,
+      epss_score,
+      epss_percentile,
+      published_at,
+      last_modified_at,
+      created_at,
+      updated_at
+    ) values (
+      #{uuid, jdbcType=VARCHAR},
+      #{id, jdbcType=VARCHAR},
+      #{description, jdbcType=VARCHAR},
+      #{cvssScore, jdbcType=DOUBLE},
+      #{epssScore, jdbcType=DOUBLE},
+      #{epssPercentile, jdbcType=DOUBLE},
+      #{publishedAt, jdbcType=BIGINT},
+      #{lastModifiedAt, jdbcType=BIGINT},
+      #{createdAt, jdbcType=BIGINT},
+      #{updatedAt, jdbcType=BIGINT}
+    )
+   </insert>
+
+  <select id="selectById" parameterType="string" resultType="org.sonar.db.dependency.CveDto">
+    select <include refid="cveColumns"/>
+    from
+      cves c
+    where
+      c.id = #{id, jdbcType=VARCHAR}
+  </select>
+
+</mapper>
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/IssuesDependencyMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/IssuesDependencyMapper.xml
new file mode 100644
index 00000000000..d6cb24539f3
--- /dev/null
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/dependency/IssuesDependencyMapper.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "mybatis-3-mapper.dtd">
+<mapper namespace="org.sonar.db.dependency.IssuesDependencyMapper">
+
+   <insert id="insert" parameterType="org.sonar.db.dependency.IssuesDependencyDto" useGeneratedKeys="false">
+    insert into issues_dependency (
+      issue_uuid,
+      cve_uuid
+    ) values (
+      #{issueUuid, jdbcType=VARCHAR},
+      #{cveUuid, jdbcType=VARCHAR}
+    )
+   </insert>
+
+</mapper>