eclipse-apoapsis · mnonnenmacher · Oct 1, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
@@ -67,6 +67,8 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.ReporterJob as ApiReporterJob
 import org.eclipse.apoapsis.ortserver.api.v1.model.ReporterJobConfiguration as ApiReporterJobConfiguration
 import org.eclipse.apoapsis.ortserver.api.v1.model.Repository as ApiRepository
 import org.eclipse.apoapsis.ortserver.api.v1.model.RepositoryType as ApiRepositoryType
+import org.eclipse.apoapsis.ortserver.api.v1.model.RuleViolation as ApiRuleViolation
+import org.eclipse.apoapsis.ortserver.api.v1.model.RuleViolationWithIdentifier as ApiRuleViolationWithIdentifier
 import org.eclipse.apoapsis.ortserver.api.v1.model.ScannerJob as ApiScannerJob
 import org.eclipse.apoapsis.ortserver.api.v1.model.ScannerJobConfiguration as ApiScannerJobConfiguration
 import org.eclipse.apoapsis.ortserver.api.v1.model.Secret as ApiSecret
@@ -110,6 +112,7 @@ import org.eclipse.apoapsis.ortserver.model.ReporterJob
 import org.eclipse.apoapsis.ortserver.model.ReporterJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.Repository
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
+import org.eclipse.apoapsis.ortserver.model.RuleViolationWithIdentifier
 import org.eclipse.apoapsis.ortserver.model.ScannerJob
 import org.eclipse.apoapsis.ortserver.model.ScannerJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.Secret
@@ -118,6 +121,7 @@ import org.eclipse.apoapsis.ortserver.model.SourceCodeOrigin
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityWithIdentifier
 import org.eclipse.apoapsis.ortserver.model.runs.Identifier
 import org.eclipse.apoapsis.ortserver.model.runs.Issue
+import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
 import org.eclipse.apoapsis.ortserver.model.runs.Package
 import org.eclipse.apoapsis.ortserver.model.runs.PackageManagerConfiguration
 import org.eclipse.apoapsis.ortserver.model.runs.ProcessedDeclaredLicense
@@ -481,6 +485,20 @@ fun VulnerabilityWithIdentifier.mapToApi() =
 
 fun Vulnerability.mapToApi() = ApiVulnerability(externalId, summary, description, references.map { it.mapToApi() })
 
+fun RuleViolationWithIdentifier.mapToApi() = ApiRuleViolationWithIdentifier(
+    ruleViolation.mapToApi(),
+    identifier.mapToApi()
+)
+
+fun OrtRuleViolation.mapToApi() = ApiRuleViolation(
+    rule,
+    license,
+    licenseSource,
+    severity.mapToApi(),
+    message,
+    howToFix
+)
+
 fun Identifier.mapToApi() = ApiIdentifier(type, namespace, name, version)
 
 fun VulnerabilityReference.mapToApi() = ApiVulnerabilityReference(url, scoringSystem, severity, score, vector)

@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2024 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.api.v1.model
+
+import kotlinx.serialization.Serializable
+
+@Serializable
+data class RuleViolation(
+    val rule: String,
+    val license: String?,
+    val licenseSource: String?,
+    val severity: Severity,
+    val message: String,
+    val howToFix: String
+)
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2024 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.api.v1.model
+
+import kotlinx.serialization.Serializable
+
+@Serializable
+data class RuleViolationWithIdentifier(
+    val ruleViolation: RuleViolation,
+    val identifier: Identifier
+)
@@ -44,6 +44,7 @@ import org.eclipse.apoapsis.ortserver.core.apiDocs.getLogsByRunId
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getOrtRunById
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getPackagesByRunId
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getReportByRunIdAndFileName
+import org.eclipse.apoapsis.ortserver.core.apiDocs.getRuleViolationsByRunId
 import org.eclipse.apoapsis.ortserver.core.apiDocs.getVulnerabilitiesByRunId
 import org.eclipse.apoapsis.ortserver.core.authorization.requirePermission
 import org.eclipse.apoapsis.ortserver.core.utils.pagingOptions
@@ -55,6 +56,7 @@ import org.eclipse.apoapsis.ortserver.logaccess.LogLevel
 import org.eclipse.apoapsis.ortserver.logaccess.LogSource
 import org.eclipse.apoapsis.ortserver.model.IssueWithIdentifier
 import org.eclipse.apoapsis.ortserver.model.OrtRun
+import org.eclipse.apoapsis.ortserver.model.RuleViolationWithIdentifier
 import org.eclipse.apoapsis.ortserver.model.VulnerabilityWithIdentifier
 import org.eclipse.apoapsis.ortserver.model.authorization.RepositoryPermission
 import org.eclipse.apoapsis.ortserver.model.repositories.OrtRunRepository
@@ -63,6 +65,7 @@ import org.eclipse.apoapsis.ortserver.services.IssueService
 import org.eclipse.apoapsis.ortserver.services.PackageService
 import org.eclipse.apoapsis.ortserver.services.ReportStorageService
 import org.eclipse.apoapsis.ortserver.services.RepositoryService
+import org.eclipse.apoapsis.ortserver.services.RuleViolationService
 import org.eclipse.apoapsis.ortserver.services.VulnerabilityService
 
 import org.koin.ktor.ext.inject
@@ -75,6 +78,7 @@ fun Route.runs() = route("runs/{runId}") {
     val ortRunRepository by inject<OrtRunRepository>()
     val repositoryService by inject<RepositoryService>()
     val vulnerabilityService by inject<VulnerabilityService>()
+    val ruleViolationService by inject<RuleViolationService>()
     val packageService by inject<PackageService>()
 
     get(getOrtRunById) { _ ->
@@ -152,6 +156,23 @@ fun Route.runs() = route("runs/{runId}") {
         }
     }
 
+    route("rule-violations") {
+        get(getRuleViolationsByRunId) {
+            call.forRun(ortRunRepository) { ortRun ->
+                requirePermission(RepositoryPermission.READ_ORT_RUNS.roleName(ortRun.repositoryId))
+
+                val pagingOptions = call.pagingOptions(SortProperty("external_id", SortDirection.ASCENDING))
+
+                val ruleViolationsForOrtRun =
+                    ruleViolationService.listForOrtRunId(ortRun.id, pagingOptions.mapToModel())
+
+                val pagedResponse = ruleViolationsForOrtRun.mapToApi(RuleViolationWithIdentifier::mapToApi)
+
+                call.respond(HttpStatusCode.OK, pagedResponse)
+            }
+        }
+    }
+
     route("packages") {
         get(getPackagesByRunId) {
             call.forRun(ortRunRepository) { ortRun ->

@@ -36,6 +36,8 @@ import org.eclipse.apoapsis.ortserver.api.v1.model.PagedResponse
 import org.eclipse.apoapsis.ortserver.api.v1.model.PagingData
 import org.eclipse.apoapsis.ortserver.api.v1.model.ProcessedDeclaredLicense
 import org.eclipse.apoapsis.ortserver.api.v1.model.RemoteArtifact
+import org.eclipse.apoapsis.ortserver.api.v1.model.RuleViolation
+import org.eclipse.apoapsis.ortserver.api.v1.model.RuleViolationWithIdentifier
 import org.eclipse.apoapsis.ortserver.api.v1.model.Severity
 import org.eclipse.apoapsis.ortserver.api.v1.model.SortDirection
 import org.eclipse.apoapsis.ortserver.api.v1.model.SortProperty
@@ -252,6 +254,77 @@ val getVulnerabilitiesByRunId: OpenApiRoute.() -> Unit = {
     }
 }
 
+val getRuleViolationsByRunId: OpenApiRoute.() -> Unit = {
+    operationId = "GetRuleViolationsByRunId"
+    summary = "Get the rules violations found in an ORT run."
+    tags = listOf("RuleViolations")
+
+    request {
+        pathParameter<Long>("runId") {
+            description = "The ID of the ORT run."
+        }
+
+        standardListQueryParameters()
+    }
+
+    response {
+        HttpStatusCode.OK to {
+            description = "Success."
+            jsonBody<PagedResponse<RuleViolationWithIdentifier>> {
+                example("Get vulnerabilities for an ORT run") {
+                    value = PagedResponse(
+                        listOf(
+                            RuleViolationWithIdentifier(
+                                RuleViolation(
+                                    "Unmapped declared license found",
+                                    "GPL-1.0-or-later",
+                                    "DETECTED",
+                                    Severity.ERROR,
+                                    "The declared license 'LPGL-2.1' could not be mapped to a valid SPDX expression.",
+                                    """
+                                        |Please add a declared license mapping via a curation for package
+                                        |'SpdxDocumentFile::hal:7.70.0'.
+                                        |If this is a false-positive or ineffective finding, it can be fixed in your 
+                                        |`.ort.yml` file:
+                                        |```yaml
+                                        |---
+                                        |curations:
+                                        |  packages:
+                                        |  - id: \"SpdxDocumentFile::hal:7.70.0\"
+                                        |    curations:
+                                        |      comment: \"<Describe the reason for the curation.>\"
+                                        |      declared_license_mapping:
+                                        |        LPGL-2.1: <Insert correct license.>
+                                        |```
+                                        |Documentation in how to configure curations in the `.ort.yml` file can be found
+                                        |[here](https://oss-review-toolkit.org/ort/docs/configuration/ort-yml).
+                                    """.trimMargin()
+                                ),
+                                Identifier(
+                                    "Maven",
+                                    "org.glassfish.jersey.media",
+                                    "jersey-media-jaxb",
+                                    "2.42"
+                                )
+                            )
+                        ),
+                        PagingData(
+                            limit = 20,
+                            offset = 0,
+                            totalCount = 1,
+                            sortProperties = listOf(SortProperty("packageUrl", SortDirection.ASCENDING))
+                        )
+                    )
+                }
+            }
+        }
+
+        HttpStatusCode.NotFound to {
+            description = "The ORT run does not exist."
+        }
+    }
+}
+
 val getPackagesByRunId: OpenApiRoute.() -> Unit = {
     operationId = "GetPackagesByRunId"
     summary = "Get the packages found in an ORT run."

@@ -21,19 +21,19 @@ package org.eclipse.apoapsis.ortserver.dao.tables.runs.evaluator
 
 import org.eclipse.apoapsis.ortserver.dao.tables.runs.shared.IdentifierDao
 import org.eclipse.apoapsis.ortserver.dao.tables.runs.shared.IdentifiersTable
+import org.eclipse.apoapsis.ortserver.dao.utils.SortableEntityClass
+import org.eclipse.apoapsis.ortserver.dao.utils.SortableTable
 import org.eclipse.apoapsis.ortserver.model.Severity
 import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
 
 import org.jetbrains.exposed.dao.LongEntity
-import org.jetbrains.exposed.dao.LongEntityClass
 import org.jetbrains.exposed.dao.id.EntityID
-import org.jetbrains.exposed.dao.id.LongIdTable
 import org.jetbrains.exposed.sql.and
 
 /**
  * A table to represent a rule violation.
  */
-object RuleViolationsTable : LongIdTable("rule_violations") {
+object RuleViolationsTable : SortableTable("rule_violations") {
     val rule = text("rule")
     val packageIdentifierId = reference("package_identifier_id", IdentifiersTable).nullable()
     val license = text("license").nullable()
@@ -44,7 +44,7 @@ object RuleViolationsTable : LongIdTable("rule_violations") {
 }
 
 class RuleViolationDao(id: EntityID<Long>) : LongEntity(id) {
-    companion object : LongEntityClass<RuleViolationDao>(RuleViolationsTable) {
+    companion object : SortableEntityClass<RuleViolationDao>(RuleViolationsTable) {
         fun getOrPut(ruleViolation: OrtRuleViolation): RuleViolationDao =
             findByRuleViolation(ruleViolation) ?: RuleViolationDao.new {
                 rule = ruleViolation.rule

@@ -53,6 +53,7 @@ import org.eclipse.apoapsis.ortserver.model.ReporterJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.RepositoryType
 import org.eclipse.apoapsis.ortserver.model.ScannerJobConfiguration
 import org.eclipse.apoapsis.ortserver.model.Severity
+import org.eclipse.apoapsis.ortserver.model.runs.Identifier
 import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
 
 import org.jetbrains.exposed.sql.Database
@@ -188,12 +189,19 @@ class Fixtures(private val db: Database) {
         return Jobs(analyzerJob, advisorJob, scannerJob, evaluatorJob, reporterJob, notifierJob)
     }
 
-    fun createIdentifier() = db.blockingQuery {
+    fun createIdentifier(
+        identifier: Identifier = Identifier(
+            "identifier_type",
+            "identifier_namespace",
+            "identifier_package",
+            "identifier_version"
+        )
+    ): Identifier = db.blockingQuery {
         IdentifierDao.new {
-            type = "identifier_type"
-            namespace = "identifier_namespace"
-            name = "identifier_package"
-            version = "identifier_version"
+            type = identifier.type
+            namespace = identifier.namespace
+            name = identifier.name
+            version = identifier.version
         }.mapToModel()
     }
 

@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2024 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * License-Filename: LICENSE
+ */
+
+package org.eclipse.apoapsis.ortserver.model
+
+import org.eclipse.apoapsis.ortserver.model.runs.Identifier
+import org.eclipse.apoapsis.ortserver.model.runs.OrtRuleViolation
+
+/**
+ * A union data class to associate a [OrtRuleViolation] with an [Identifier].
+ */
+data class RuleViolationWithIdentifier(
+    val ruleViolation: OrtRuleViolation,
+    val identifier: Identifier,
+)
@@ -23,6 +23,9 @@ import kotlinx.serialization.Serializable
 
 import org.eclipse.apoapsis.ortserver.model.Severity
 
+/**
+ * A data class describing an rule violation that occurred during an ORT run.
+ */
 @Serializable
 data class OrtRuleViolation(
     val rule: String,