Dismissing finding does not set dismissal reason on vulnerability

Summary

Dismising a finding with a dismissal reason does not seem to persist this on the dismissalReason on the vulnerability. It does create a new stateTransition with the dismissal reason.

Steps to reproduce

1. Go to pipeline security tab: https://gitlab.com/gitlab-examples/security/security-reports/-/pipelines/997006012/security?severity=MEDIUM&reportType=DAST
2. Click info icon of a non-dismissed finding
3. Click dismiss vulnerability (add dismissal reason and comment)
4. Click Confirm Dismissal
5. This calls the dismissFinding graphql mutation
6. If you open the modal of the same finding again, you'll see in the event note it's correctly dismissed with the reason and comment you provided
7. Go to vulnerability report: https://gitlab.com/gitlab-examples/security/security-reports/-/security/vulnerability_report/?severity=MEDIUM&scanner=GitLab.DAST&state=ALL
8. Find the same vulnerability you just dismissed
9. Notice that in the table the status is Dismissed, but there is no badge for the dismissal reason (there should be one!)
10. The data used for the report is coming from the graphql query projectVulnerabilities. In the response, the vulnerability that was just dismissed has dismissalReason set to null.
11. If we go do the details page of that vulnerability by clicking on it in the table
12. We can see in the status description at the top that the dismissal reason is shown. In this case, the dismissal reason is used from the vulnerability's last stateTransition.

Relevant logs and/or screenshots

issue-finding-sync-reason

Implementation plan:

As part of this Implement dismissal_reason field on the Vulnerability::Read model, we updated https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/vulnerabilities/dismiss_service.rb#L30 to update the existing state transition. We updated Vulnerability::Read for pipeline finding as part of !130509 (diffs). But we also need to update Vulnerability::Read model when we are interacting with finding from pipeline (when vulnerability already exists) and changing the state when vulnerability is not already in dismissed state and we are creating state transition for this https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/vulnerabilities/find_or_create_from_security_finding_service.rb#L63.

• Update the Vulnerability::Read#dismissal_reason https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/vulnerabilities/find_or_create_from_security_finding_service.rb#L63 here like what we did !130509 (diffs)