Update design doc to include VULNERABILITY_RETRACTED notification

nscuro · nscuro · commit a52ff593d009 · 2026-02-25T20:25:35.000+01:00
Signed-off-by: nscuro &lt;nscuro@protonmail.com&gt;
diff --git a/docs/architecture/design/vulnerability-analysis.md b/docs/architecture/design/vulnerability-analysis.md
@@ -429,12 +429,15 @@ applied analysis state is reset to defaults.
 
 The following notifications can be emitted during reconciliation:
 
-* `NEW_VULNERABILITY`: For each newly created finding.
+* `NEW_VULNERABILITY`: For each newly created finding, and for findings that become
+  active again after previously being inactive (see [Finding Attributions](#finding-attributions)).
+* `VULNERABILITY_RETRACTED`: When a finding becomes inactive, i.e. all its attributions
+  have been soft-deleted and no analyzer reports it anymore.
 * `NEW_VULNERABLE_DEPENDENCY`: When a BOM upload introduces new components that have
   existing vulnerabilities. The BOM upload trigger stores a context file containing the IDs
   of newly added components. During reconciliation, if the context file is present,
   components from that list that ended up with findings trigger this notification.
-* `PROJECT_AUDIT_CHANGE`: When a policy evaluation changes the analysis state or 
+* `PROJECT_AUDIT_CHANGE`: When a policy evaluation changes the analysis state or
   suppression of an existing finding.
 * `ANALYZER_ERROR`: For each analyzer that failed during invocation.
 
