Vulnerabilities are incorrectly marked as resolved in master

Summary

Some vulnerabilities are marked as resolved in master, whereas the code hasn't changed at all.

Steps to reproduce

Example: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/2333417 will appear as resolved on the default branch if:

  1. The vulnerability scanner didn't find the vulnerability OR
  2. The vulnerability scanner didn't run for the latest successful pipeline for default branch at all (see https://gitlab.com/gitlab-org/gitlab/-/pipelines/159684155 for example of that happening)

Example Project

https://gitlab.com/gitlab-org/gitlab/-/security/dashboard

What is the current bug behavior?

https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/1727730 is dismissed, but the code is still there, so the message is confusing. The Location is https://gitlab.com/gitlab-org/gitlab/-/blob/4523cbbb2a92ceb16d538019748e69fcd1eef4ee/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml#L17 and this is the current master: https://gitlab.com/gitlab-org/gitlab/-/blob/363181391313446cafcf1ff8fb2fc5545c09aaf2/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml#L17

What is the expected correct behavior?

No banner.

Relevant logs and/or screenshots

Screenshot_2020-05-15_15.25.02

Output of checks

This bug happens on GitLab.com

Implementation plan

Make sure that Vulnerabilty#resolved_on_default_branch checks that the latest pipeline actually ran the job that produced the Vulnerabilty.

A naive approach would be to select the latest pipeline that was successful and has a Ci::Build#name that matches the Vulnerability#report_type

/cc @thiagocsf @matt_wilson

Edited by Michał Zając