Enable database-driven availability for AI-assisted Vulnerability Resolution (VR)

Why are we doing this work

The visibility of AI-assisted vulnerability resolution (VR) on the Vulnerability Details page is currently based on a hardcoded list of CWE types.

We want to expose a new field, ai_resolution_enabled, in the vulnerability serialization layer (VulnerabilityEntity). This field will be computed using the ingested vulnerability_read data via the #ai_resolution_enabled? method. It will reflect the value of the has_vulnerability_resolution field populated during Secure pipeline ingestion.

By exposing this field in the serialised response, the frontend can determine VR availability using database-driven logic instead of relying on hardcoded values. This enables consistent behavior across surfaces such as the Vulnerability Details and Vulnerability Report pages.

image.png

Relevant links

Non-functional requirements

Implementation plan

  • backend Update VulnerabilityEntity (ee/app/serializers/vulnerability_entity.rb) to include the new ai_resolution_enabled field.
  • backend Compute the field using the #ai_resolution_enabled? method from the associated vulnerability_read record.

Note: The value may be nil if the vulnerability_read ingestion hasn't occurred. Consumers must treat nil as "unknown" and should not fall back to the old hardcoded list.

Verification steps

  1. Import or use an existing test project (e.g. cwe-78-cwe-89-tests).
  2. Run a Secure pipeline to populate vulnerability_read entries.
  3. Confirm that VR is available in the Vulnerability Details page.
Edited by Ugo Nnanna Okeadu