Fix failing analysis updates

src/main/java/org/dependencytrack/model/Analysis.java

@@ -135,7 +135,7 @@ public class Analysis implements Serializable {
     @Persistent
     @Column(name = "VULNERABILITY_POLICY_ID", allowsNull = "true")
     @JsonIgnore
-    private VulnerabilityPolicy vulnerabilityPolicy;
+    private Long vulnerabilityPolicyId;
 
     public long getId() {
         return id;
@@ -270,11 +270,11 @@ public void setOwaspScore(BigDecimal owaspScore) {
         this.owaspScore = owaspScore;
     }
 
-    public VulnerabilityPolicy getVulnerabilityPolicy() {
-        return vulnerabilityPolicy;
+    public Long getVulnerabilityPolicyId() {
+        return vulnerabilityPolicyId;
     }
 
-    public void setVulnerabilityPolicy(VulnerabilityPolicy vulnerabilityPolicy) {
-        this.vulnerabilityPolicy = vulnerabilityPolicy;
+    public void setVulnerabilityPolicyId(Long vulnerabilityPolicyId) {
+        this.vulnerabilityPolicyId = vulnerabilityPolicyId;
     }
 }

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -614,6 +614,7 @@ public Project clone(UUID from, String newVersion, boolean includeTags, boolean
                     analysis.setAnalysisJustification(sourceAnalysis.getAnalysisJustification());
                     analysis.setAnalysisState(sourceAnalysis.getAnalysisState());
                     analysis.setAnalysisDetails(sourceAnalysis.getAnalysisDetails());
+                    analysis.setVulnerabilityPolicyId(sourceAnalysis.getVulnerabilityPolicyId());
                     analysis = persist(analysis);
                     if (sourceAnalysis.getAnalysisComments() != null) {
                         for (final AnalysisComment sourceComment : sourceAnalysis.getAnalysisComments()) {

src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java

@@ -34,11 +34,11 @@
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.common.ConfigKey;
 import org.dependencytrack.event.VulnerabilityPolicyFetchEvent;
-import org.dependencytrack.model.VulnerabilityPolicy;
 import org.dependencytrack.model.WorkflowState;
 import org.dependencytrack.model.WorkflowStatus;
 import org.dependencytrack.model.WorkflowStep;
 import org.dependencytrack.persistence.QueryManager;
+import org.dependencytrack.policy.vulnerability.VulnerabilityPolicy;
 import org.dependencytrack.policy.vulnerability.VulnerabilityPolicyProvider;
 import org.dependencytrack.policy.vulnerability.VulnerabilityPolicyProviderFactory;
 import org.dependencytrack.resources.v1.openapi.PaginatedApi;

src/main/resources/META-INF/persistence.xml

@@ -58,7 +58,6 @@
         <class>org.dependencytrack.model.VulnerableSoftware</class>
         <class>org.dependencytrack.model.WorkflowState</class>
         <class>org.dependencytrack.model.IntegrityAnalysis</class>
-        <class>org.dependencytrack.model.VulnerabilityPolicy</class>
         <class>org.dependencytrack.model.VulnerabilityPolicyBundle</class>
         <exclude-unlisted-classes>true</exclude-unlisted-classes>
     </persistence-unit>

src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java

@@ -1235,7 +1235,7 @@ public void analysisThroughPolicyResetOnNoMatchTest() {
                     assertThat(v.getVulnId()).isEqualTo("CVE-100");
                     assertThat(qm.getAnalysis(component, v)).satisfies(a -> {
                         assertThat(a.getAnalysisState()).isEqualTo(AnalysisState.NOT_SET);
-                        assertThat(a.getVulnerabilityPolicy()).isNull();
+                        assertThat(a.getVulnerabilityPolicyId()).isNull();
                         assertThat(a.getAnalysisComments()).extracting(AnalysisComment::getCommenter).containsOnly("[Policy{None}]");
                         assertThat(a.getAnalysisComments()).extracting(AnalysisComment::getComment).containsExactlyInAnyOrder(
                                 "No longer covered by any policy",
@@ -1267,7 +1267,7 @@ public void analysisThroughPolicyResetOnNoMatchTest() {
                         assertThat(a.getCvssV2Score()).isNull();
                         assertThat(a.getCvssV3Vector()).isNull();
                         assertThat(a.getCvssV3Score()).isNull();
-                        assertThat(a.getVulnerabilityPolicy()).isNull();
+                        assertThat(a.getVulnerabilityPolicyId()).isNull();
                         assertThat(a.getAnalysisComments()).isEmpty();
                     });
                 });

src/test/java/org/dependencytrack/persistence/jdbi/VulnerabilityPolicyDaoTest.java

@@ -369,7 +369,7 @@ public void testVulnerabilityPolicyIsUnassignedAndDeleted() throws Exception {
         assertThat(analysis.getAnalysisJustification()).isNull();
         assertThat(analysis.getAnalysisResponse()).isNull();
         assertThat(analysis.getAnalysisDetails()).isNull();
-        assertThat(analysis.getVulnerabilityPolicy()).isNull();
+        assertThat(analysis.getVulnerabilityPolicyId()).isNull();
         assertThat(analysis.getAnalysisComments()).extracting(AnalysisComment::getCommenter).containsOnly("[Policy{Name=name}]");
         assertThat(analysis.getAnalysisComments()).extracting(AnalysisComment::getComment).containsExactlyInAnyOrder(
                 "Policy removed",

src/test/java/org/dependencytrack/resources/v1/AnalysisResourceTest.java

@@ -31,11 +31,15 @@
 import org.dependencytrack.model.AnalysisJustification;
 import org.dependencytrack.model.AnalysisResponse;
 import org.dependencytrack.model.AnalysisState;
+import org.dependencytrack.model.AnalyzerIdentity;
 import org.dependencytrack.model.Component;
 import org.dependencytrack.model.Project;
 import org.dependencytrack.model.Severity;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.notification.NotificationConstants;
+import org.dependencytrack.persistence.jdbi.VulnerabilityPolicyDao;
+import org.dependencytrack.policy.vulnerability.VulnerabilityPolicy;
+import org.dependencytrack.policy.vulnerability.VulnerabilityPolicyAnalysis;
 import org.dependencytrack.proto.notification.v1.Notification;
 import org.dependencytrack.resources.v1.vo.AnalysisRequest;
 import org.dependencytrack.util.NotificationUtil;
@@ -55,6 +59,8 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.dependencytrack.assertion.Assertions.assertConditionWithTimeout;
+import static org.dependencytrack.persistence.jdbi.JdbiFactory.useJdbiHandle;
+import static org.dependencytrack.persistence.jdbi.JdbiFactory.withJdbiHandle;
 import static org.dependencytrack.proto.notification.v1.Group.GROUP_PROJECT_AUDIT_CHANGE;
 import static org.dependencytrack.proto.notification.v1.Level.LEVEL_INFORMATIONAL;
 import static org.dependencytrack.proto.notification.v1.Scope.SCOPE_PORTFOLIO;
@@ -767,4 +773,64 @@ public void updateAnalysisUnauthorizedTest() {
         assertThat(response.getHeaderString(TOTAL_COUNT_HEADER)).isNull();
     }
 
+    @Test
+    public void updateAnalysisWithAssociatedVulnerabilityPolicyTest() {
+        initializeWithPermissions(Permissions.VULNERABILITY_ANALYSIS);
+
+        final var project = new Project();
+        project.setName("acme-app");
+        qm.persist(project);
+
+        final var component = new Component();
+        component.setProject(project);
+        component.setName("acme-lib");
+        qm.persist(component);
+
+        final var vuln = new Vulnerability();
+        vuln.setVulnId("CVE-123");
+        vuln.setSource(Vulnerability.Source.NVD);
+        qm.persist(vuln);
+
+        qm.addVulnerability(vuln, component, AnalyzerIdentity.INTERNAL_ANALYZER);
+        final Analysis analysis = qm.makeAnalysis(component, vuln, AnalysisState.NOT_AFFECTED, null, null, null, true);
+
+        final VulnerabilityPolicy vulnPolicy = withJdbiHandle(handle -> {
+            final var policyAnalysis = new VulnerabilityPolicyAnalysis();
+            policyAnalysis.setState(VulnerabilityPolicyAnalysis.State.EXPLOITABLE);
+
+            final var policy = new VulnerabilityPolicy();
+            policy.setName("foo");
+            policy.setAnalysis(policyAnalysis);
+            policy.setConditions(List.of("true"));
+            return handle.attach(VulnerabilityPolicyDao.class).create(policy);
+        });
+
+        useJdbiHandle(handle -> handle.createUpdate("""
+                        WITH "VULN_POLICY" AS (
+                          SELECT "ID"
+                            FROM "VULNERABILITY_POLICY"
+                           WHERE "NAME" = :policyName
+                        )
+                        UPDATE "ANALYSIS"
+                           SET "VULNERABILITY_POLICY_ID" = (SELECT "ID" FROM "VULN_POLICY")
+                         WHERE "ID" = :analysisId
+                        """)
+                .bind("policyName", vulnPolicy.getName())
+                .bind("analysisId", analysis.getId())
+                .execute());
+
+        final Response response = jersey.target(V1_ANALYSIS)
+                .request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity("""
+                        {
+                          "project": "%s",
+                          "component": "%s",
+                          "vulnerability": "%s",
+                          "comment": "foo"
+                        }
+                        """.formatted(project.getUuid(), component.getUuid(), vuln.getUuid()), MediaType.APPLICATION_JSON));
+        assertThat(response.getStatus()).isEqualTo(200);
+    }
+
 }