Create vulnerabilities from vulnerability findings
Problem to solve
Vulnerabilities are created for each new vulnerability finding, but old vulnerability findings won't have matching vulnerabilities. If we turn on first class vulnerabilities, it will appear to users as if some of the vulnerabilities disappeared.
Proposal
Write a migration that creates a vulnerability for each vulnerability finding that doesn't already have one.
The migration should also take dismissed vulnerability findings into account, like what is being proposed in #207895 (closed)
What does success look like, and how can we measure that?
-
All reported vulnerabilities remain on the security dashboards when the first_class_vulnerabilities
feature flag is on -
Vulnerability findings that were not showing on the instance, group, or project security dashboards should not be migrated so that the previous security dashboards will match the new vulnerability list as closely as possible after the migration. -
If a new vulnerability is created from a vulnerability finding that had been dismissed, it will be updated to have the state of 'dismissed'. -
If a vulnerability had already been created from a vulnerability finding, and the vulnerability is still in the 'detected' state, and the vulnerability finding has been dismissed, the vulnerability- will be updated to have the state of 'dismissed'.
Links / references
First class vulnerabilities: #13561 (closed)
Edited by rossfuhrman