Merge branch 'add_vulnerability_states_for_scan_result_policies' into 'master'

Add vulnerability_states for scan_result_policies

See merge request gitlab-org/gitlab!76865

ee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb

@@ -45,7 +45,8 @@ module Security
           user_ids: project.users.get_ids_by_username(action_info[:approvers]),
           vulnerabilities_allowed: rule[:vulnerabilities_allowed],
           report_type: :scan_finding,
-          orchestration_policy_idx: policy_index
+          orchestration_policy_idx: policy_index,
+          vulnerability_states: rule[:vulnerability_states]
         }
       end
 

ee/app/validators/json_schemas/security_orchestration_policy.json

@@ -245,7 +245,8 @@
                 "branches",
                 "scanners",
                 "vulnerabilities_allowed",
-                "severity_levels"
+                "severity_levels",
+                "vulnerability_states"
               ],
               "properties": {
                 "type": {
@@ -289,6 +290,22 @@
                       "type": "string"
                     }
                   }
+                },
+                "vulnerability_states":{
+                  "type": "array",
+                  "additionalItems": false,
+                  "items":{
+                    "type": {
+                      "enum": [
+                        "newly_detected",
+                        "detected",
+                        "confirmed",
+                        "resolved",
+                        "dismissed"
+                      ],
+                      "type": "string"
+                    }
+                  }
                 }
               },
               "additionalProperties": false

ee/spec/factories/security/policies.rb

@@ -48,7 +48,8 @@ FactoryBot.define do
           branches: %w[master],
           scanners: %w[container_scanning],
           vulnerabilities_allowed: 0,
-          severity_levels: %w[critical]
+          severity_levels: %w[critical],
+          vulnerability_states: %w[detected]
         }
       ]
     end

ee/spec/services/security/security_orchestration_policies/process_scan_result_policy_service_spec.rb

@@ -61,6 +61,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessScanResultPolicyS
       expect(scan_finding_rule.scanners).to eq(first_rule[:scanners])
       expect(scan_finding_rule.severity_levels).to eq(first_rule[:severity_levels])
       expect(scan_finding_rule.vulnerabilities_allowed).to eq(first_rule[:vulnerabilities_allowed])
+      expect(scan_finding_rule.vulnerability_states).to eq(first_rule[:vulnerability_states])
       expect(scan_finding_rule.approvals_required).to eq(first_action[:approvals_required])
     end
   end

ee/spec/workers/security/create_orchestration_policy_worker_spec.rb

@@ -46,7 +46,7 @@ RSpec.describe Security::CreateOrchestrationPolicyWorker do
               name: 'CS critical policy',
               description: 'This policy with CS for critical policy',
               enabled: true,
-              rules: [{ type: 'scan_finding', branches: %w[production], vulnerabilities_allowed: 0, severity_levels: %w[critical], scanners: %w[container_scanning] }],
+              rules: [{ type: 'scan_finding', branches: %w[production], vulnerabilities_allowed: 0, severity_levels: %w[critical], scanners: %w[container_scanning], vulnerability_states: %w[newly_detected] }],
               actions: [
                 { type: 'require_approval', approvals_required: 1, approvers: %w[admin] }
               ]