Proposal: Automate the update of Vulnerability Resolution eligibility for High Confidence CWEs during scanning

Why are we doing this work

AI resolution is supported for a defined set of CWEs, as documented:
https://docs.gitlab.com/user/application_security/vulnerabilities/#supported-vulnerabilities-for-vulnerability-resolution

Currently, this support is implemented in two independent locations:

1. has_vulnerability_resolution (on vulnerability_reads)

• Used by the UI (e.g., security dashboard filters, vulnerability details sidebar)
• Populated via a one-time background migration
• Not updated during subsequent pipeline ingestions
• Becomes inaccurate when the CWE list changes

2. Hardcoded list in application logic

• Defined in Vulnerabilities::Finding::HIGH_CONFIDENCE_AI_RESOLUTION_CWES
• Used at pipeline time to evaluate AI eligibility
• Always current in code, but disconnected from the database field

This disconnect leads to inconsistent behavior between the ingestion layer and the UI.
For example, a vulnerability may be AI-eligible in the pipeline context but not appear as such in the UI, or vice versa.
Each time the CWE list changes, a new migration is required to update the flag, which is not scalable.

Why we update in FindOrCreateFromSecurityFindingService

FindOrCreateFromSecurityFindingService is responsible for ingesting and updating Vulnerability records from pipeline findings. It is invoked:

• When a finding is first processed into a vulnerability
• When an existing vulnerability is updated during re-ingestion

This service has access to the Vulnerability, its associated vulnerability_read, and the underlying Finding.
It is the appropriate place to evaluate AI resolution eligibility and update the has_vulnerability_resolution flag accordingly.

Benefits of updating the flag in this service

• Ensures the flag reflects the current CWE support list on every pipeline ingestion
• Handles both new and existing vulnerabilities
• Eliminates the need for periodic background migrations when the CWE list is updated
• Ensures consistency between pipeline-time behavior and what is rendered in the UI

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• backend Refactor FindOrCreateFromSecurityFindingService to set has_vulnerability_resolution during ingestion based on the current High Confidence CWE list, using a centralized helper.

• backend Update Security::Ingestion::Tasks::IngestVulnerabilityReads::Update to apply the same logic, ensuring consistent updates to has_vulnerability_resolution for all ingested findings.

Verification steps