When no fix for a CVE exists, don't mark a PR as changes requested

[jhrozek]

As discussed in https://github.com/stacklok/minder/pull/1806#discussion_r1415544292, when a CVE exists, but no fixed version exists, we should not mark the PR as changes requested (at least not by default)

[jhrozek]

@eleftherias I think you fixed this didn't you?

[eleftherias]

@jhrozek No, I don't think so. The fix I had done was about not commenting a new version on PR when no fixed version exists, but I didn't change the review status.

[evankanderson]

@ethomson -- we're not sure if this hits the "beta quality bar" list or not

[ethomson]

I think that it's okay to keep it as "changes requested" - that makes sense within the context of what we're doing (we found a vulnerability, we don't want you to check in a vulnerability, changes requested makes a certain amount of sense). I do think that we should update the verbiage.

Minder found vulnerable dependencies in this PR. Either push an updated version or accept the proposed changes. Note that accepting the changes will include Minder as a co-author of this PR.

Given this, I think yes for beta. If we do propose a change, then let's keep this guidance 👆

If we cannot propose a change, let's make the verbiage make sense:

Minder found vulnerable dependencies in this PR, but could not find a new version of the dependency that is not vulnerable. Please push an updated version.

[evankanderson]

This looks like we need to change the verbiage on the warning.

[eleftherias]

We should consider making this configurable, some users may want a warning.

[eleftherias]

Closing in favour of https://github.com/mindersec/minder-rules-and-profiles/issues/274 in minder-rules-and-profiles.