Add "View Vulnerability Report" as a separate permission
Background
There is customer demand for "View Vulnerability Report" to be split off into its own permission to be able to add to an existing GitLab role (likely Reporter) to make a custom role.
This code is fairly straightforward and separate already, making it a good candidate to be the next customizable permission.
Proposal
Permission to view the vulnerability report implies several other permissions. Custom roles granted the new permission will be able to do the following, either via UI or API (REST or GraphQL) on any project to which they have access and their custom role permits:
- View the Vulnerability Report
- Perform all functions on the page including changing vulnerability statuses and downloading the CSV report export
- View any vulnerability records visible in the Vulnerability Report's list
- Perform all functions on such vulnerability records including changing status and leaving a comment
The opposite is also true. Custom roles that do not already include access to the Vulnerability Report and have not been given this explicit custom permission will have no access to Vulnerability Reports or any vulnerability records, either via UI or API (REST or GraphQL). Attempting to access such a page/record will return our standard permission denied error.