Description
Add first-class support for a "Change Severity" remediation type so teams can record when a vulnerability’s severity is adjusted (typically downgraded) with proper justification (including reason, who changed it, when, and the new severity). This enables correct UI grouping of remediated vs unremediated vulnerabilities, consistent storage and querying of remediations, and full auditability. Related: #1520
Objectives
- Use existing
rescore in the remediation type enum to represent severity changes and extend it with audit fields (reason, rescored_by, rescored_at, new_severity).
- Provide GraphQL queries to fetch remediations by vulnerability IDs and remediation type.
- Update frontend flows to fetch remediations in bulk and render Vulnerability vs Remediated lists without duplicates.
- Provide UI to create and revoke Change Severity remediations with validation and auditability.
- Ensure the remediation modal includes selectable severity options (e.g., Critical, High, Medium, Low) to allow users to downgrade the vulnerability.
- Add the Change Severity action to the Actions list in both Active and Remediated Vulnerabilities tabs.
- Add tests, migrations, and documentation.
Acceptance Criteria
- Backend stores remediations with type
rescore linked to vulnerability IDs and includes reason, rescored_by, rescored_at, and new_severity.
- GraphQL exposes a
remediations(vulnerabilityIds: [ID!], type: RemediationTypeValues) (or equivalent) that returns correct results for batched queries.
- Frontend shows vulnerabilities without remediations in the Vulnerability List and those with
rescore in the Remediated List (no duplicates).
- UI provides create and revoke flows for Change Severity with validations, confirmations, and audit fields.
- Remediation modal contains severity selection options allowing users to downgrade the vulnerability severity.
- Change Severity action is available in the Actions menu for both Active and Remediated Vulnerabilities tabs.
- Unit and integration tests cover backend resolvers and frontend matching logic; CI passes.
Description
Add first-class support for a "Change Severity" remediation type so teams can record when a vulnerability’s severity is adjusted (typically downgraded) with proper justification (including reason, who changed it, when, and the new severity). This enables correct UI grouping of remediated vs unremediated vulnerabilities, consistent storage and querying of remediations, and full auditability. Related: #1520
Objectives
rescorein the remediation type enum to represent severity changes and extend it with audit fields (reason,rescored_by,rescored_at,new_severity).Acceptance Criteria
rescorelinked to vulnerability IDs and includesreason,rescored_by,rescored_at, andnew_severity.remediations(vulnerabilityIds: [ID!], type: RemediationTypeValues)(or equivalent) that returns correct results for batched queries.rescorein the Remediated List (no duplicates).