MR security widget shows vulnerabilities that can't be resolved with a suggestion

The MR security widget shows a list of security vulnerabilities introduced in the MR, but it also displays other vulnerabilities present in the project. In this example gitlab-org/govern/threat-insights-demos/verification-projects/cwe-tests!2 (closed) the changed file is cwe-23/ruby/cwe-23-fixed.rb but it shows findings for:

cwe-330/javascript/cwe-330-vuln.js:2
cwe-338/javascript/cwe-338-vuln.js:4
cwe-327/python/cwe-327-vuln.py:4
cwe-377/javascript/cwe-377-vuln.js:3
and others...

What this means is that vulnerabilities can't be resolved with an MR suggestion if they are not part of the changed lines in cwe-23/ruby/cwe-23-fixed.rb.

So, given that, I think a couple of changes to the approach will be necessary:

We will need a way to check the vulnerability file and line number to ensure it exists in the MR changes. If it does not, then we shouldn't show the Resolve Vulnerability button. @nmccorrison @sming-gitlab @dpisek @subashis @wandering_person
For vulnerabilities that are not present in the MR but are supported CWEs, we could fall back on the current approach of creating a new MR. This would be out of scope for the current iteration but could be done later. @beckalippert @abellucci

The suggestions above are just some ideas, but let's discuss more in this issue.