Allow reverting a vulnerability back to detected state

Problem to solve

Today I set a vulnerability as Dismissed because the advisory lead me to believe it was a false positive. After digging for a more information I noticed that in fact it was not a false positive and it was the proposed "solution" that didn't have enough information. At this point, I would have liked to revert the finding back to Detected. I set it as Confirmed because it seemed like a better option than a False-False-Positive, but in reality I haven't had the time to validate it yet and explore how this bug might affect us.

Intended users

• Sam (Security Analyst)

User experience goal

It allows to rollback something that was done based on wrong information or simply to correct a user mistake.

Proposal

Add Detected as one of the status we can set in this combo box

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Implementation plan

• backend Create new service that will revert Vulnerability to detected state (and that will remove all dismissal feedback for related finding and create a system note),
• backend Add API (/vulnerabilities/:id/revert) (first iteration) and GraphQL API (second iteration) to execute that service,
• frontend Present information about when and where given vulnerability was detected (https://gitlab.com/gitlab-org/gitlab/blob/b4c262e1a076128770a3b33c380b91bc633abdc5/ee/app/assets/javascripts/vulnerabilities/components/footer.vue#L212): Already tracked in #222346 (closed)
• frontend Extend VULNERABILITY_STATE_OBJECTS (https://gitlab.com/gitlab-org/gitlab/blob/ff7a18920a6492bc73bcf2d5ce649443744bed61/ee/app/assets/javascripts/vulnerabilities/constants.js#L23) with options for reverting Vulnerability to detected state