Filter vulnerabilities dismissed by security policies

What does this MR do and why?

This MR adds a new argument to vulnerabilities_resolver to filter the vulnerabilities dismissed by security policies.

References

Related to: #561739, #549786

Screenshots or screen recordings

How to set up and validate locally

Elasticsearch Setup

1. Enable the Elasticsearch in GDK

gdk config set elasticsearch.enabled true
gdk reconfigure
gdk start elasticsearch

Simulate SAAS mode

1. add export GITLAB_SIMULATE_SAAS=1 to env.runit
2. Restart the gdk

gdk kill && gdk start

Advanced Search Setup

1. Enable the advanced_vulnerability_management feature flag

Feature.enable(:advanced_vulnerability_management)

Follow the steps of https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/elasticsearch.md#setup

Dismiss a security finding blocked by a security policy

1. Import the security-reports project.
2. Run a new pipeline on the default branch to create vulnerabilities
3. Go to Secure > Policies and create a Merge Request Approval policy
4. Create an MR editing the README file
5. Create a record of Security::PolicyDismissal to simulate a bypassed/dismissed policy

Security::PolicyDismissal.create(project: Project.second_to_last, merge_request: MergeRequest.last, security_policy: Security::Policy.last, user: User.first, dismissal_reason: 0, security_findings_uuids: ["84c1832e-294d-59f0-b3ff-b4414cc86c70"])

7. Go to /-/graphql-explorer
8. Query the vulnerabilities by the securityPolicyBypassReason

{
  project(fullPath: "root/security-reports") {
    vulnerabilities(securityPolicyBypassReason: DISMISSED_IN_MR) {
      nodes {
        description
        uuid
      }
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.