V2 API - Include endpoint to update SCA risk status

We are currently trying to write a CI/CD step that keeps our long life branches in sync with the main branch, so that when we sign off an issue in the main branch, the next time another long life branch builds, it will mirror the sign off status on the main branch.

There are currently endpoints to be able to do this for issues and security hotspots, but when it comes to licences and vulnerabilities, it looks like there isn’t the functionality.

It seems the V2 API has /sca/risk-reports which allows us to see the issues a branch has, but there is no POST endpoint to be able to change the status to keep it in sync.

As the cloud instance does not allow for the reference branch implementation, each time the team creates a new long life release branch, we are having to manually sign off all the licences we have accepted on the main branch each time, which is becoming a real pain point.

Those endpoints do exist; because they are subject to change they are not currently in the public API docs. We’re looking to fix that so API docs are available.

They are the same sca APIs as the server variants, which you can find by clicking ‘show internal’ on the WebAPI v2 docs at: SonarQube

In this case you’re looking for the issue-release APIs.

We’ve published an update to our cloud API docs. Example: https://api-docs.sonarsource.com/sonarqube-cloud/default/public-dependencyservice-v1-4#/Issues-Releases/transitionIssueRelease