Add setting for requiring comment when dismissing vulnerabilities
Problem to solve
Users require information as to why a vulnerability was dismissed and who dismissed it. This issue focuses on the why the aspect of this requirement. Today users can dismiss a vulnerability without leaving a comment noting the particular reasoning behind their dismissal. We've uncovered in other issues on the topic of developer behavior with vulnerabilities that is lack of comment requirement is a problem. Without this information, anyone with the role of developer or high can dismiss a vulnerability which adds extra work for the security team as they have to track down the reason behind the dismissal. With dismissal reasons, we hope to add more granularity to why a vulnerability was dismissed, but this doesn't directly address the problem of dismissing without a specific reason.
Intended users
Persona: Security Analyst Persona: Development Team Lead
Further details
Proposal
Require a comment when vulnerability_findings are dismissed in the MR and Pipeline.
- Remove the ability to dismiss a vulnerability_finding without a comment.
- Re-label the modal action to dismiss and comment to: "Dismiss".
- Validate the dismissal comment field as cannot be blank
Post-MVC
Add setting at either project-level or group-level requiring a comment when dismissing vulnerabilities.
Require a comment in the vulnerability object on status change: See this issue for more details.