Add commit link that removed vulnerability

Problem to solve

Today, we indicate when a vulnerability is no longer detected. However, we do not provide users a way to see when or where the vulnerability was removed/resolved. This makes it very difficult to find the specific commit associated with the vulnerability's removal. Security teams want to know this information so they can easily verify if the vulnerability was truly fixed or need further remediation action before they mark the vulnerability as Resolved.

Solution

Provide a link to the commit that caused the vulnerability to be marked as no longer detected. Show this link in the activity timeline. The commit can be used to easily find the source pipeline/MR associated with the change if this information is needed.

Verification Steps

1. Go to this project
2. Go to Secure > Vulnerability report. There should be one vulnerability found.
3. Open the vulnerability, and keep it open in a separate tab. The header and footer of the vulnerability should look like:
4. In the repository, navigate to the server.js file, modify the file in your gdk. Modify the following line: const productId = req.params; to: const productId = 1;
5. Commit and push the changes
6. Once the pipeline is done running, go back to the Vulnerability report page. Make sure to change the Activity filter from Still detected to No longer detected. A vulnerability should be shown now.
7. Click on the vulnerability. It should look like the following screenshot: