Dismissed Findings should turn in to Dismissed Vulnerabilities
Problem to solve
Currently, when a vulnerability is created from a vulnerability finding, it is opened with a state of detected
. But in the case that the vulnerability finding has been dismissed on a feature branch prior to it being merged into the default branch, the vulnerability created for that vulnerability finding should be in the dismissed
state.
Intended users
Further details
Detailed scenario
- There's an MR with some vulnerabilities in the pipeline
- The
Vulnerability::Ocurrence
gets dismissed on the MR Security widget (see [1]) - The MR gets merged
- CI will still pick the vulnerability
- The vulnerability that gets created should have state set to dismissed
Proposal
Permissions and Security
Topic for discussion. Should someone that can dismiss a finding also have the ability to set a vulnerability to dismissed or are these separate permissions?
Documentation
Update information on security dashboards to reflect new behavior. Call attention to dismissing findings on the pipeline dashboard creating corresponding dismissed vulnerabilities on the project, group, and instance dashboards.
Availability & Testing
What does success look like, and how can we measure that?
Dismissed findings in pipelines that become vulnerabilities will show up as vulnerabilities with the dismissed state.