Vulnerability state changes to dismissed when an MR which has a security finding with issue is merged

Summary

Vulnerability state changes to dismissed when an MR which has a security finding with issue is merged

Steps to reproduce

  1. Create an MR, with security findings in the pipeline (non-default branch)
  2. Create issue from a finding in pipeline security tab.
  3. Merge the MR, check for the default pipeline run.
  4. Check the status of the vulnerability in vulnerability report.

Example Project

See #383817 (comment 1195768163)

What is the current bug behavior?

State of the vulnerability is dismissed.

What is the expected correct behavior?

Vulnerability state should still be detected.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Reproducible on GDK.

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Thiago Figueiró