Merge branch 'always_mark_vulnerabilities_as_not_resolved_on_update' into 'master'

Mark vulnerabilities as not resolved on default branch on ingestion

See merge request gitlab-org/gitlab!77060

ee/app/services/security/ingestion/tasks/ingest_vulnerabilities/update.rb

@@ -23,6 +23,7 @@ module Security
               title: report_finding.name.truncate(::Issuable::TITLE_LENGTH_MAX),
               severity: report_finding.severity,
               confidence: report_finding.confidence,
+              resolved_on_default_branch: false,
               updated_at: Time.zone.now
             }
           end

ee/spec/services/security/ingestion/tasks/ingest_vulnerabilities_spec.rb

@@ -7,20 +7,24 @@ RSpec.describe Security::Ingestion::Tasks::IngestVulnerabilities do
     let_it_be(:user) { create(:user) }
     let_it_be(:pipeline) { create(:ci_pipeline, user: user) }
     let_it_be(:identifier) { create(:vulnerabilities_identifier) }
+    let_it_be(:existing_vulnerability) { create(:vulnerability, :detected, :with_finding, resolved_on_default_branch: true) }
 
     let(:finding_maps) { create_list(:finding_map, 4) }
-    let(:existing_finding) { create(:vulnerabilities_finding, :detected) }
 
     subject(:ingest_vulnerabilities) { described_class.new(pipeline, finding_maps).execute }
 
     before do
-      finding_maps.first.vulnerability_id = existing_finding.vulnerability_id
+      finding_maps.first.vulnerability_id = existing_vulnerability.id
 
       finding_maps.each { |finding_map| finding_map.identifier_ids << identifier.id }
     end
 
-    it 'ingests vulnerabilities' do
+    it 'creates new vulnerabilities' do
       expect { ingest_vulnerabilities }.to change { Vulnerability.count }.by(3)
     end
+
+    it 'marks the existing vulnerability as not resolved on default branch' do
+      expect { ingest_vulnerabilities }.to change { existing_vulnerability.reload.resolved_on_default_branch }.to(false)
+    end
   end
 end