Manually Created Vulnerabilities should require manual resolution

Summary

It appears manually created vulnerabilities may be automatically marked as resolved when a scan runs of the same scan type. This can be seen within StoreReportService where all vulnerabilities of the given type are marked as resolved when not present in a newly stored report.

It's not clear at this time whether the new ingestion service is also susceptible but this should be looked further into.

Steps to reproduce

Reproduction not yet made, only code read.

Example Project

What is the current bug behavior?

Manually created vulnerabilities are automatically resolved when a scan of the same type is ran.

What is the expected correct behavior?

Manually created vulnerabilities should always require manual resolution.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes

A quick fix would be to include a similar condition as REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION to exclude manual vulnerabilities, assuming there's a way to uniquely identify them.

Implementation Plan

• backend Include a similar condition as REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION to exclude generic vulnerabilities (see Lucas's patch below)