Design: Notify user when a vulnerability is resolved in the Vulnerability List

Problem to solve

When a vulnerability is fixed "resolved" aka (removed from the default branch) in a user's project, there is no way of notifying them in the vulnerability list and within the vulnerability page.

Intended users

• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

We will need to provide some indication in the Vulnerability List UI that a vulnerability has been fixed/removed from the default branch. This presents a problem that as someone using the vulnerability list, I have no idea which vulnerabilities have been addressed and which ones are still pending mitigation.

Proposal

When the system no longer detects a finding that was associated with a vulnerability -in the default branch- , provide the user with some type of visual indication that this has happened. This can be in either or both of the vulnerability list and the vulnerability page.

--- Summary from @andyvolpe in #214656 (comment 339203830)

Vulnerabilities that have been fixed/removed will now be persisted. This is one of the new behaviors of Standalone vulnerabilities. Vulnerabilities in this state will be displayed with the 'Resolved' status IF they have been manually marked as resolved and have been removed/remediated.

IF vulnerabilities are removed/remediated by the user AND their state is NOT "Resolved" then they will receive a badge in the UI to make users aware that their state can be changed to resolve. This issue defines that experience.

Design

Vulnerabiltiy list updates

See feature issue: #35860 (closed)

Badge detail

See feature issue: #35860 (closed)

Permissions and Security

It should only be accessible if the vulnerability itself could be viewed.

Documentation

Update relevant screenshots of the product to show these messages properly.

Testing

Test for both the success & error case. Ensure that the error message is appropriate for all cases or is specific to the error itself. Ensure messaging throughout the experience is clear.

What is the type of buyer?

GitLab Ultimate

Links / references

• System notes to notify users instead
• Standalone vulnerability

Implementation checklist

• backend See #35860 (closed)
  • Use current N+1 resolved_on_default_branch method in ee/app/models/vulnerability.rb as a short term solution. This result will be sent in the response to the UI. It's slow, but it will start giving us some correct data.
  • Extend GraphQL VulnerabilityType to return resolved_on_default_branch
  • Fix the existing issue described in #218012 (closed) to ensure the security scan ran in the latest pipeline before marking the vulnerability as resolved.
  • Create a resolved_on_default_branch column in the vulnerabilities table and set that value from the pipeline. We would probably need to default to nil to indicate the check has not been run yet. With this change, we would check the database value first, then calculate using the existing method.
  • Run a background migration to set the value as needed.
  • Remove the existing workaround method.
• frontend Display notification when a vulnerability has all findings resolved but is still in a detected state