BE: GraphQL enhancements for auto-dismissals in the Vulnerability report

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue

Why are we doing this work

Any vulnerability that was auto-dismissed should show up on the Vulnerability Report with a Dismissed status and an auto-dismissed icon in the activity column. We need to include this information in the GraphQL API.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• To determine if vulnerability was auto-dismissed, we can use dismissed_by == project.security_policy_bot && state == 'DISMISSED'
• Add a new field policy_auto_dismissed for ee/app/graphql/types/vulnerability_type.rb

Sample implementation:

    def policy_auto_dismissed
      return false if Feature.disabled?(:auto_dismiss_vulnerability_policies, object.project)

      BatchLoader::GraphQL.for(object).batch do |vulnerabilities, loader|
        project_ids = vulnerabilities.map(&:project_id).uniq
        security_policy_bot_ids = User.security_policy_bots_for_projects(project_ids).pluck_primary_key

        vulnerabilities.each do |vulnerability|
          loader.call(vulnerability, dismissed_by_policy?(vulnerability, security_policy_bot_ids))
        end
      end
    end

Verification steps