REST API status code consistency: PATCH /vulnerabilities returns 201, DELETE /packages and /licenses return 200

[saiteja-in]

Summary

The Resource Server currently returns non-standard HTTP status codes for three endpoints:

• PATCH /resource/api/vulnerabilities/{externalId} returns 201 Created
• DELETE /resource/api/packages/{id} returns 200 OK
• DELETE /resource/api/licenses/{id} returns 200 OK

This is inconsistent with common REST semantics and expected API consumer behavior.

Current Behavior

1. Updating an existing vulnerability via PATCH returns 201 Created.
2. Deleting a package returns 200 OK.
3. Deleting a license returns 200 OK.

Expected Behavior

1. PATCH /resource/api/vulnerabilities/{externalId} should return 200 OK (or 204 No Content if response body is omitted).
2. DELETE /resource/api/packages/{id} should return 204 No Content on successful deletion.
3. DELETE /resource/api/licenses/{id} should return 204 No Content on successful deletion.

Reproduction

Using UI + browser Network tab:

1. Update a vulnerability from Vulnerabilities UI and inspect PATCH /resource/api/vulnerabilities/{externalId}.
2. Delete a package from Packages UI and inspect DELETE /resource/api/packages/{id}.
3. Delete a license from Licenses UI and inspect DELETE /resource/api/licenses/{id}.

Proposed Fix

• Return 200 OK for vulnerability update.
• Return 204 No Content for successful package/license deletion.
• Keep existing error/status behavior for conflict/denied cases unchanged.

Screenshots / Evidence