Support high performing CWE-78 and CWE-89 in vulnerability resolution

Proposal

The purpose of this issue is to add two new high performing CWEs to the list of vulnerability resolution CWEs, as discussed here:

CWE-89: SQL Injection

• Accuracy: 100% (3 of 3 meaningful reviews)
• All fixes were perfect/excellent
• Some results affected by "single blank line" bug

CWE-78: Command Injection

• Accuracy: 82% (7 of 7 meaningful reviews)
• 4 perfect fixes, 1 very good, 2 partial mitigations

Implementation Plan

1. Add CWE-89 and CWE-78 to the list of HIGH_CONFIDENCE_AI_RESOLUTION_CWES and update the corresponding test.

   See the following MRs for an example of how this was done in the past:

   • Updated supported CWE list for Vulnerability Re... (!163369 - merged) • Darby Frey • 17.4
   • Limit Vulnerability Resolution to supported CWEs (!160475 - merged) • Darby Frey • 17.3

2. Create a backfill migration to set vulnerability_reads.has_vulnerability_resolution for every record to true if the CWE ID is CWE-89 or CWE-78.

   See VR filtering: Backfill migration (#486530 - closed) • Michael Becker • 17.5 for an example of how this was implemented in the past.

3. Add new CWEs to documentation !188789 (merged)

Verification Steps

1. Test project https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples/-/security/vulnerability_report
   1. CWE-89 https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples/-/security/vulnerability_report/?identifier=CWE-89
   2. CWE-78 https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples/-/security/vulnerability_report/?identifier=CWE-78