Unable to create issues for pipeline security findings which do not exist on the default branch

Context

When viewing pipeline security findings, which don't exist on the default branch, the "Create Issue" button does not render.

expected actual
Screenshot_2023-10-20_at_9.53.00_am Screenshot_2023-10-20_at_9.52.22_am

Additional info

Example

https://staging.gitlab.com/govern-team-test/verify-413516/-/pipelines/17276386/security?reportType=CONTAINER_SCANNING

How to reproduce

  1. Import the security-reports example project and Do not run pipeline on master yet!
  2. Comment all bug 1 scanners in .gitlab-ci.yml (leave one uncommented otherwise the CI file is invalid) and commit and push this to master/main
  3. Uncomment the scanners in .gitlab-ci.yml, commit and push to a new branch and create an MR
  4. Run a pipeline for the MR and then go to the "Security" tab on that pipeline
  5. Dismiss a finding from a scanner that is added in the MR

Cause

There is a check in the UI, which makes sure the current user has the right permissions to create an issue:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/assets/javascripts/security_dashboard/components/pipeline/vulnerability_finding_modal.vue#L182

The permissions are coming from the vulnerability that is attached to the finding (GraphQL type: PipelineSecurityReportFinding).

For new findings, which don't exist on the default branch yet, there is no vulnerability, so the check fails and the "Create Issue" button does not show up.

Possible solutions

As we only have a finding, we can't use the userPermissions on the vulnerability of that Finding. We could add a userPermissions object on PipelineSecurityReportFinding which would contain a field canCreateIssue, similar to the canCreateVulnerabilityFeedback we're using now. We seem to be using the userPermissions pattern on different kind of resources in GitLab.

Edited by Lorenz van Herwaarden