Vulnerabilities are incorrectly marked as resolved in master
Summary
Some vulnerabilities are marked as resolved in master, whereas the code hasn't changed at all.
Steps to reproduce
Example: https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/2333417 will appear as resolved on the default branch if:
- The vulnerability scanner didn't find the vulnerability OR
- The vulnerability scanner didn't run for the latest successful pipeline for default branch at all (see https://gitlab.com/gitlab-org/gitlab/-/pipelines/159684155 for example of that happening)
Example Project
https://gitlab.com/gitlab-org/gitlab/-/security/dashboard
What is the current bug behavior?
https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/1727730 is dismissed, but the code is still there, so the message is confusing. The Location is https://gitlab.com/gitlab-org/gitlab/-/blob/4523cbbb2a92ceb16d538019748e69fcd1eef4ee/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml#L17 and this is the current master: https://gitlab.com/gitlab-org/gitlab/-/blob/363181391313446cafcf1ff8fb2fc5545c09aaf2/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml#L17
What is the expected correct behavior?
No banner.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Implementation plan
Make sure that Vulnerabilty#resolved_on_default_branch checks that the latest pipeline actually ran the job that produced the Vulnerabilty.
A naive approach would be to select the latest pipeline that was successful and has a Ci::Build#name that matches the Vulnerability#report_type