Resetting a vulnerability from `dismissed` to `detected` does not reset dismissal feedback in the `vulnerability_read`
When a vulnerability is reset to detected we destroy the dismissal feedback via the destroy_dismissal_feedback_service.rb
called from the revert_to_detected_service.rb
However, these services do not update the vulnerability_read
associated with the vulnerability
. This means in the following situation:
- dismiss a vulnerability with a dismissal reason (e.g. `false positive')
- use the UI to reset the
vulnerability
back to detected
We will be left with a situation where vulnerability.dismissed?
will return false
, while at the same time vulnerability.vulnerability_read.dismissal_reason
will still return false positive
When we reset a vulnerability to detected, we should probably nullify the dismissal-related fields in the associated vulnerability_read
On staging, there are not that many rows in this state:
implementation plan
-
#437815 (closed) | Correct the logic by mirroring the
vulnerability_read
logic from the dismissal service -
#437816 | Create a batched background migration to update the existing rows. something like:
Vulnerabilities::Read.where(state: :detected).where.not(dismissal_reason: nil).find_each { |batch| batch.update_all(dismissal_reaason: nil) }
I think we can do 1
quickly, 2
is not so urgent
Edited by Michael Becker