Ensure all appropriate sources of vulnerability read information changes update the records

Why are we doing this work

Moving management of vulnerability read records to the application level means we are now responsible for identifying any locations that change information that should result in updating the vulnerability read record.

Each location that updates data that is denormalized into the vulnerability read will need to manually update the vulnerability read record to ensure the updated information is propagated.

This will be a bit of a challenge, as there are many tables that can influence the content of a vulnerability read record. At time of writing, the list of services that will need to broadcast this event are:

• ee/app/services/security/findings/severity_override_service.rb
• ee/app/services/vulnerabilities/base_service.rb
  • ee/app/services/vulnerabilities/create_issue_from_bulk_action_service.rb
  • ee/app/services/vulnerabilities/destroy_dismissal_feedback_service.rb
  • ee/app/services/vulnerabilities/dismiss_service.rb
• ee/app/services/vulnerabilities/find_or_create_from_security_finding_service.rb
  • ee/app/services/security/findings/dismiss_service.rb
• ee/app/services/vulnerabilities/removal/remove_from_project_service.rb
• ee/app/services/vulnerabilities/security_finding/create_issue_service.rb
• ee/app/services/vulnerabilities/security_finding/create_merge_request_service.rb
• ee/app/services/vulnerabilities/auto_resolve_service.rb
• ee/app/services/vulnerabilities/base_state_transition_service.rb
  • ee/app/services/vulnerabilities/confirm_service.rb
  • ee/app/services/vulnerabilities/resolve_service.rb
  • ee/app/services/vulnerabilities/revert_to_detected_service.rb
• ee/app/services/vulnerabilities/bulk_dismiss_service.rb
• ee/app/services/vulnerabilities/bulk_severity_override_service.rb
• ee/app/services/vulnerabilities/create_service.rb
• ee/app/services/vulnerabilities/create_service_base.rb
  • ee/app/services/vulnerabilities/manually_create_service.rb
  • ee/app/services/vulnerabilities/starboard_vulnerability_create_service.rb
• ee/app/services/vulnerabilities/starboard_vulnerability_resolve_service.rb
• ee/app/services/vulnerabilities/update_service.rb
• ee/app/services/vulnerability_feedback/create_service.rb
• ee/app/services/vulnerability_feedback_module/update_service.rb
• ee/app/services/vulnerability_issue_links/bulk_create_service.rb
• ee/app/services/vulnerability_issue_links/create_service.rb
• ee/app/services/vulnerability_issue_links/delete_service.rb
• ee/app/services/vulnerability_merge_request_links/create_service.rb
• ee/app/services/sbom/create_vulnerabilities_service.rb
• ee/app/services/security/ingestion/mark_as_resolved_service.rb

It's highly likely that this list is not exhaustive, but it is not arbitrary to identify all possible sources of data change that may result in a Vulnerability::Read needing to change.

Relevant links

Implementation plan

1. Wrap all the appropriate change locations in the Vulnerabilities::ModificationWrapper so that the appropriate callbacks can be triggered when changes occur.

Verification steps

Verifying this will be more than a little tedious, as we will need to find features associated with all the services listed in #why are we doing this work, use them, and then validate that the relevant vulnerability read has reflected the change that was made correctly.