Vulnerabilities are created as confidential by default - backstage
### Problem to solve The [backstage implementation of the First-class Vulnerabilities](#10242) has introduced the Vulnerability entity. The [MVC Standalone Vulnerability objects](#13561) will provide the frontend representation for these objects. But currently, they are created as "visible by anyone object". ### Intended users * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Proposal According to [engineering discovery](https://gitlab.com/gitlab-org/gitlab/issues/10252#interactions), Vulnerabilities should be created confidential by default. Confidential Vulnerabilities should work in the same way as [Confidential Issues](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html#confidential-issues) from the UX and permissions perspective. ### Permissions and Security Copy the confidential Issues permissions model to Vulnerabilities ### Documentation - [-] ~~Update the `Vulnerabilities user docs page`~~ this is not required, it's enough to update the [Permissions page stub](!17364), which [has already been performed](https://gitlab.com/gitlab-org/gitlab/merge_requests/17364/diffs?commit_id=765eb4f443d7d346ad45193ee2e33173cb624509). - [-] ~~Update the `Create a Vulnerability from Finding API docs entry`~~ the same ### Testing See [the development log](#development-log). ### What does success look like, and how can we measure that? GitLab users won't have the vulnerabilities information disclosed for their projects. ### What is the type of buyer? ~"GitLab Ultimate" ### Links / references ### Development log #### Status - [x] Introduce new permission `read_vulnerability` for `read` operations on Vulnerabilities as an alias for `read_project_security_dashboard` ability - [-] ~~Implement the `VulnerabilityPolicy` rules for confidentiality similarly to `IssuePolicy` and use the `read_vulnerability` ability as a prerequisite for all checks~~ There's no need in separate `VulnerabilityPolicy`, everything can be decided at `EE::ProjectPolicy` - [ ] Add new tests - [x] New access tests for `GET /projects/:id/vulnerabilities` endpoint - [ ] New access tests for `create_vulnerability` - [ ] First, wait for !18283 is merged - [ ] `Vulnerabilities::CreateService` - [ ] `POST /projects/:id/vulnerabilities` endpoint - [x] New access tests for `resolve_vulnerability` - [x] `Vulnerabilities::ResolveService` - [x] `POST /vulnerabilities/:id/resolve` endpoint - [x] New access tests for `dismiss_vulnerability` - [x] `Vulnerabilities::DismissService` - [x] `POST /vulnerabilities/:id/dismiss` endpoint #### Decisions - Vulnerabilities are confidential but [the minimum access level required is `Developer`](https://gitlab.com/gitlab-org/gitlab/issues/34430#note_237246914) - There's no need in separate `VulnerabilityPolicy`, everything can be decided at `EE::ProjectPolicy`
issue