Findings dismissed in security tab don't dismiss corresponding vulnerability

Summary

If a vulnerability is dismissed in a pipeline for the feature branch, it will not be dismiss status in the vulnerability report for the default branch after being merged

Steps to reproduce

1. Scanner runs on a feature branch
2. Finding X is dismissed in the MR
3. MR is merged
4. Finding X is reported in the main branch
5. Finding X doesn't show as dismissed on the vulnerability report.

Example Project

• https://gitlab.com/gitlab-org/secure/tests/vuln-dismiss-test/-/merge_requests/1
• https://workshop.gitlabtraining.cloud/tito-group/basic-cicd-workshop-ja/-/security/vulnerability_report/?state=DISMISSED

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

From @minac in slack (internal link):

I checked the behavior on StoreReportsService and it was marking the vulnerability as dismissed if there was a dismissal feedback.

The place where we used to create the vulnerability records: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.0.9-ee/ee/app/services/vulnerabilities/create_service.rb#L38

And where the state is calculated: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.0.9-ee/ee/app/models/vulnerabilities/finding.rb#L118

Implementation Plan

• backend Correct the ingestion service to properly detect the dismissed state and set it appropriately based on dismissal feedback.
• backend Add spec for the ingestion to make sure that a dismissed finding will ingest the correct state.
• database Perform a database migration to correct the state of the vulnerability state. We can check the dissmissed_at value, and if set, the state should be DISMISSED.