## Summary When `vulnerabilities_across_contexts` is enabled and vulnerabilities are ingested for non-default tracked branches, all three statistics update paths count non-default branch vulnerabilities in the project's `vulnerability_statistics` and `vulnerability_historical_statistics`. This inflates severity counts, letter grades, and historical trend charts on the Security Dashboard. ## Problem Three code paths update `vulnerability_statistics` without filtering by tracked context: 1. **Full recount** (`Vulnerabilities::Statistics::AdjustmentService`) — `STATS_SQL` counts all `vulnerability_reads` regardless of branch 2. **Pipeline ingestion** (`Security::Ingestion::Tasks::IngestVulnerabilityStatistics`) — iterates `severity_counts` which includes all tracked contexts 3. **Individual state changes** (`Vulnerabilities::StatisticsUpdateService`) — applies stat deltas for any vulnerability regardless of branch ## Solution Filter each path to only count default-branch vulnerabilities: 1. Add a `LEFT JOIN` to `security_project_tracked_contexts` in `STATS_SQL` with `WHERE tracked_context_id IS NULL OR is_default = TRUE` 2. Use the existing `default_branch_severity_counts` method for the statistics upsert 3. Add an early return in `StatisticsUpdateService` for non-default branch vulnerabilities Changes are applied unconditionally (no feature flag gate) because the filter is a no-op when only default branch data exists. This implements **Option A** from the historical stats analysis — scope statistics to the default branch now, then implement per-branch statistics (Option B) when multiple branch tracking is fully rolled out. ## References - Related to https://gitlab.com/gitlab-org/gitlab/-/issues/578047 - Related to https://gitlab.com/gitlab-org/gitlab/-/issues/555991