Dismissed Findings should turn in to Dismissed Vulnerabilities

Problem to solve

Currently, when a vulnerability is created from a vulnerability finding, it is opened with a state of detected. But in the case that the vulnerability finding has been dismissed on a feature branch prior to it being merged into the default branch, the vulnerability created for that vulnerability finding should be in the dismissed state.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)

Further details

Detailed scenario

1. There's an MR with some vulnerabilities in the pipeline
2. The Vulnerability::Ocurrence gets dismissed on the MR Security widget (see [1])
3. The MR gets merged
4. CI will still pick the vulnerability
5. The vulnerability that gets created should have state set to dismissed

Proposal

Permissions and Security

Topic for discussion. Should someone that can dismiss a finding also have the ability to set a vulnerability to dismissed or are these separate permissions?

Documentation

Update information on security dashboards to reflect new behavior. Call attention to dismissing findings on the pipeline dashboard creating corresponding dismissed vulnerabilities on the project, group, and instance dashboards.

Availability & Testing

What does success look like, and how can we measure that?

Dismissed findings in pipelines that become vulnerabilities will show up as vulnerabilities with the dismissed state.

What is the type of buyer?

GitLab Ultimate

Links / references

[1]