[backend] Auto-resolve vulnerabilities using vulnerability management policy

Why are we doing this work

When a vulnerability is resolved through a vulnerability management policy, there should be a state transition with a "auto-resolve bot" as actor of that state transition. This is to make sure the discussions on the vulnerability details page have an entry that reflects the state change to resolved and highlight that it's due to the auto-resolve mechanism.

Relevant links

Design

Non-functional requirements

• Documentation:
• Feature flag: vulnerability_management_policy_type
• Performance:
• Testing: unit tests

Implementation plan

In https://gitlab.com/gitlab-org/gitlab/blob/5714638c84e7802f6517e16016acb6e3d0e842e6/ee/app/services/security/ingestion/ingest_reports_service.rb#L18 we can add a step that:

1. Returns early if project doesn't have any auto-resolve policies
2. to_autoresolve = Vulnerability.id_in(resolved_on_default_branch_ids).limit(MAX_BATCH_SIZE) where MAX_BATCH_SIZE is 100
3. Select all Vulnerabilities matching the policy (eg. auto-resolve all SAST findings with severity Low or Medium)
4. Resolve them using BulkResolveService, make sure to use Security Policy Bot as the actor for the StateTransition
5. Make sure to update auto_resolved = true in vulnerabilities

Verification steps