SQRP-246 Register a UUID for SCA issues in sca_issues table

This gives each issue a UUID that spans projects & analyses.

SQRP-246 remove "get" from DbClient getter for sca issues DAO

This wasn't following the naming convention.

SQRP-287 add "IfApplicable" methods to ScaIssue

These handle two things:
 * blank values become Optional.empty instead of junk
 * allows us to get all applicable values from a ScaIssue reference
   without type-casting.

SQRP-287 add ScaIssuesDbTester

Utility methods for ScaIssues testing

SQRP-287 use a magic string value instead of empty string in ScaIssueDto

Because Oracle considers empty string to be a synonym for null.

SQRP-287 ScaIssuesDbTester vary the license saved in test issues

SQRP-247 add more unit tests for ScaIssueDto

SQRP-287 rename ScaIssue.titleIfApplicable => vulnerabilityTitleIfApplicable

SQRP-246 make assertColumnDefinition work with DECIMAL on H2

SQRP-293 add base_severity to sca_vulnerability_issues

This is the severity prior to any project-specific factors
such as reachability.

SQRP-293 increase ScaIssue test coverage

SQRP-246 Add ScaIssueDto.Builder

SQRP-246 Use a short placeholder CVE title, not giant description

SQRP-246 Add toString to ScaIssue subtypes

in sca_issues dbtester, separate new from insert

SQRP-296 replace sca_vulnerability_issues.title with cwe_ids

Replace title with cweIds in ScaIssue

Remove ScaIssueFactory to be put back with IssuesReleases

Replace title with cweids in the steps

Change severity to INFO, LOW, MEDIUM, HIGH

5 files changed, 252 insertions, 0 deletions

diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/DefaultScaIssueIdentityTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/DefaultScaIssueIdentityTest.java
new file mode 100644
index 00000000000..122e328a16b
--- /dev/null
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/DefaultScaIssueIdentityTest.java
@@ -0,0 +1,47 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.sca;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class DefaultScaIssueIdentityTest {
+
+  @Test
+  void test_constructWithValidValues() {
+    var issueIdentity = new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", "spdxLicenseId");
+    assertEquals(ScaIssueType.VULNERABILITY, issueIdentity.scaIssueType());
+    assertEquals("packageUrl", issueIdentity.packageUrl());
+    assertEquals("vulnerabilityId", issueIdentity.vulnerabilityId());
+    assertEquals("spdxLicenseId", issueIdentity.spdxLicenseId());
+  }
+
+  @Test
+  void test_throwsOnInvalidValues() {
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "", "vulnerabilityId", "spdxLicenseId"));
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, null, "vulnerabilityId", "spdxLicenseId"));
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", "", "spdxLicenseId"));
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", null, "spdxLicenseId"));
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", ""));
+    assertThrows(IllegalArgumentException.class, () -> new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", null));
+  }
+}
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueDtoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueDtoTest.java
new file mode 100644
index 00000000000..da9eb91dddf
--- /dev/null
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueDtoTest.java
@@ -0,0 +1,69 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.sca;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class ScaIssueDtoTest {
+
+  @Test
+  void test_constructWithValidValues() {
+    var dto = new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", "spdxLicenseId", 1L, 2L);
+    assertEquals("uuid", dto.uuid());
+    assertEquals(ScaIssueType.VULNERABILITY, dto.scaIssueType());
+    assertEquals("packageUrl", dto.packageUrl());
+    assertEquals("vulnerabilityId", dto.vulnerabilityId());
+    assertEquals("spdxLicenseId", dto.spdxLicenseId());
+    assertEquals(1L, dto.createdAt());
+    assertEquals(2L, dto.updatedAt());
+  }
+
+  @Test
+  void test_throwsOnInvalidValues() {
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "", "vulnerabilityId", "spdxLicenseId", 1L, 2L));
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, null, "vulnerabilityId", "spdxLicenseId", 1L, 2L));
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", "", "spdxLicenseId", 1L, 2L));
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", null, "spdxLicenseId", 1L, 2L));
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", "", 1L, 2L));
+    assertThrows(IllegalArgumentException.class, () -> new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", null, 1L, 2L));
+  }
+
+  @Test
+  void test_constructFromIdentity() {
+    var identity = new DefaultScaIssueIdentity(ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", "spdxLicenseId");
+    var dto = new ScaIssueDto("uuid", identity, 1L, 2L);
+    assertEquals("uuid", dto.uuid());
+    assertEquals(ScaIssueType.VULNERABILITY, dto.scaIssueType());
+    assertEquals("packageUrl", dto.packageUrl());
+    assertEquals("vulnerabilityId", dto.vulnerabilityId());
+    assertEquals("spdxLicenseId", dto.spdxLicenseId());
+    assertEquals(1L, dto.createdAt());
+    assertEquals(2L, dto.updatedAt());
+  }
+
+  @Test
+  void test_toBuilder_build_shouldRoundTrip() {
+    var dto = new ScaIssueDto("uuid", ScaIssueType.VULNERABILITY, "packageUrl", "vulnerabilityId", "spdxLicenseId", 1L, 2L);
+    assertEquals(dto.toBuilder().build(), dto);
+  }
+}
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueTypeTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueTypeTest.java
new file mode 100644
index 00000000000..3027f5e96bd
--- /dev/null
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaIssueTypeTest.java
@@ -0,0 +1,34 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.sca;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class ScaIssueTypeTest {
+
+  @Test
+  void test_namesAreShortEnough() {
+    for (ScaIssueType issueType : ScaIssueType.values()) {
+      assertThat(issueType.name().length()).isLessThanOrEqualTo(ScaIssueDto.SCA_ISSUE_TYPE_MAX_LENGTH);
+    }
+  }
+}
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaSeverityTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaSeverityTest.java
new file mode 100644
index 00000000000..023f2bd9b20
--- /dev/null
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaSeverityTest.java
@@ -0,0 +1,57 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.sca;
+
+import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
+import org.sonar.api.issue.impact.Severity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class ScaSeverityTest {
+  private static void assertSortOrder(ScaSeverity lower, ScaSeverity higher) {
+    assertThat(lower.databaseSortKey())
+      .as(lower + " sorts below " + higher)
+      .isLessThan(higher.databaseSortKey());
+  }
+
+  @Test
+  void test_maxLength() {
+    for (ScaSeverity severity : ScaSeverity.values()) {
+      assertThat(severity.name().length()).as(severity.name() + " is short enough")
+        .isLessThanOrEqualTo(ScaSeverity.MAX_NAME_LENGTH);
+    }
+  }
+
+  @Test
+  void test_sortKeysInOrder() {
+    assertSortOrder(ScaSeverity.INFO, ScaSeverity.LOW);
+    assertSortOrder(ScaSeverity.LOW, ScaSeverity.MEDIUM);
+    assertSortOrder(ScaSeverity.MEDIUM, ScaSeverity.HIGH);
+    assertSortOrder(ScaSeverity.HIGH, ScaSeverity.BLOCKER);
+  }
+
+  @Test
+  void test_matchesImpactSeverity() {
+    assertThat(Stream.of(ScaSeverity.values()).map(Enum::name).toList())
+      .as("ScaSeverity has the same values in the same order as impact.Severity")
+      .isEqualTo(Stream.of(Severity.values()).map(Enum::name).toList());
+  }
+}
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaVulnerabilityIssueDtoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaVulnerabilityIssueDtoTest.java
new file mode 100644
index 00000000000..1019f1e3e5d
--- /dev/null
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/sca/ScaVulnerabilityIssueDtoTest.java
@@ -0,0 +1,45 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.sca;
+
+import java.math.BigDecimal;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class ScaVulnerabilityIssueDtoTest {
+  @Test
+  void test_cweIdsLength_handledByTypeHandler() {
+    // this test is here to prevent accidentally messing it up
+    assertThat(ScaVulnerabilityIssueDto.CWE_IDS_MAX_LENGTH).isLessThanOrEqualTo(ListOfStringsTypeHandler.MAXIMUM_LENGTH);
+  }
+
+  @Test
+  void test_toBuilder_build_shouldRoundTrip() {
+    var scaVulnerabilityIssueDto = new ScaVulnerabilityIssueDto("sca-issue-uuid",
+      ScaSeverity.INFO,
+      List.of("cwe"),
+      new BigDecimal("7.1"),
+      1L,
+      2L);
+    assertThat(scaVulnerabilityIssueDto.toBuilder().build()).isEqualTo(scaVulnerabilityIssueDto);
+  }
+}