Add analysis "detail" and audit history ("comments") to project findi…

…ngs API response

Signed-off-by: Kevin Hodder <[email protected]>

docs/_docs/integrations/file-formats.md

@@ -39,7 +39,7 @@ The **VIEW_VULNERABILITY** permission is required to use the findings API.
 
 ```json
 {
-  "version": "1.1",
+  "version": "1.2",
   "meta" : {
     "application": "Dependency-Track",
     "version": "4.5.0",
@@ -81,7 +81,20 @@ The **VIEW_VULNERABILITY** permission is required to use the findings API.
       "recommendation": "No direct patch is available..."
     },
     "analysis": {
-      "state": "NOT_SET",
+      "state": "NOT_AFFECTED",
+      "details": "Not exploitable in this project",
+      "comments": [
+        {
+          "timestamp": 1697500959345,
+          "comment": "Analysis: NOT_SET → NOT_AFFECTED",
+          "commenter": "admin"
+        },
+        {
+          "timestamp": 1697500977371,
+          "comment": "Details: Not exploitable in this project",
+          "commenter": "admin"
+        }
+      ],
       "isSuppressed": false
     },
     "matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46"

src/main/java/org/dependencytrack/model/Finding.java

@@ -81,6 +81,7 @@ public class Finding implements Serializable {
             "\"FINDINGATTRIBUTION\".\"ALT_ID\"," +
             "\"FINDINGATTRIBUTION\".\"REFERENCE_URL\"," +
             "\"ANALYSIS\".\"STATE\"," +
+            "\"ANALYSIS\".\"DETAILS\"," +
             "\"ANALYSIS\".\"SUPPRESSED\" " +
             "FROM \"COMPONENT\" " +
             "INNER JOIN \"COMPONENTS_VULNERABILITIES\" ON (\"COMPONENT\".\"ID\" = \"COMPONENTS_VULNERABILITIES\".\"COMPONENT_ID\") " +
@@ -141,7 +142,8 @@ public Finding(UUID project, Object... o) {
         optValue(attribution, "referenceUrl", o[25]);
 
         optValue(analysis, "state", o[26]);
-        optValue(analysis, "isSuppressed", o[27], false);
+        //optValue(analysis, "details", o[27]); // CLOB - handle this in QueryManager
+        optValue(analysis, "isSuppressed", o[28], false);
     }
 
     public Map getComponent() {

src/main/java/org/dependencytrack/persistence/FindingsQueryManager.java

@@ -280,6 +280,10 @@ public List<Finding> getFindings(Project project, boolean includeSuppressed) {
                 // These are CLOB fields. Handle these here so that database-specific deserialization doesn't need to be performed (in Finding)
                 finding.getVulnerability().put("description", vulnerability.getDescription());
                 finding.getVulnerability().put("recommendation", vulnerability.getRecommendation());
+                if(analysis != null) {
+                    finding.getAnalysis().put("details", analysis.getAnalysisDetails());
+                    finding.getAnalysis().put("comments", analysis.getAnalysisComments());
+                }
                 final PackageURL purl = component.getPurl();
                 if (purl != null) {
                     final RepositoryType type = RepositoryType.resolve(purl);

src/test/java/org/dependencytrack/model/FindingTest.java

@@ -39,7 +39,7 @@ public class FindingTest extends PersistenceCapableTest {
     private Finding finding = new Finding(projectUuid, "component-uuid", "component-name", "component-group",
             "component-version", "component-purl", "component-cpe", "vuln-uuid", "vuln-source", "vuln-vulnId", "vuln-title",
             "vuln-subtitle", "vuln-description", "vuln-recommendation", Severity.HIGH, BigDecimal.valueOf(7.2), BigDecimal.valueOf(8.4), BigDecimal.valueOf(1.25), BigDecimal.valueOf(1.75), BigDecimal.valueOf(1.3),
-            "0.5", "0.9", null, AnalyzerIdentity.INTERNAL_ANALYZER, attributedOn, null, null, AnalysisState.NOT_AFFECTED, true);
+            "0.5", "0.9", null, AnalyzerIdentity.INTERNAL_ANALYZER, attributedOn, null, null, AnalysisState.NOT_AFFECTED,  "details-comment", true);
 
 
     @Before
@@ -80,6 +80,7 @@ public void testVulnerability() {
     public void testAnalysis() {
         Map map = finding.getAnalysis();
         Assert.assertEquals(AnalysisState.NOT_AFFECTED, map.get("state"));
+        Assert.assertEquals("details-comment", map.get("details"));
         Assert.assertEquals(true, map.get("isSuppressed"));
     }