Operational vulnerabilities fail to load: Cannot return null for non-nullable field Vulnerability.identifiers
Summary
Operational vulnerabilities are currently failing to load with this error from GraphQL: Cannot return null for non-nullable field Vulnerability.identifiers
Steps to reproduce
- Go to https://gitlab.com/gitlab-org/protect/demos/agent-cluster-image-scanning-demo/-/security/vulnerability_report/?tab=OPERATIONAL
- Report fails to load with error:
Query:
query projectVulnerabilities($fullPath: ID!, $before: String, $after: String, $first: Int = 20, $last: Int, $severity: [VulnerabilitySeverity!], $reportType: [VulnerabilityReportType!], $scanner: [String!], $scannerId: [VulnerabilitiesScannerID!], $state: [VulnerabilityState!], $sort: VulnerabilitySort, $hasIssues: Boolean, $hasResolution: Boolean, $includeExternalIssueLinks: Boolean = false, $vetEnabled: Boolean = false, $clusterAgentId: [ClustersAgentID!]) {
project(fullPath: $fullPath) {
id
vulnerabilities(
before: $before
after: $after
first: $first
last: $last
severity: $severity
reportType: $reportType
scanner: $scanner
scannerId: $scannerId
state: $state
sort: $sort
hasIssues: $hasIssues
hasResolution: $hasResolution
clusterAgentId: $clusterAgentId
) {
nodes {
...VulnerabilityFragment
externalIssueLinks @include(if: $includeExternalIssueLinks) {
nodes {
id
issue: externalIssue {
externalTracker
webUrl
title
iid: relativeReference
__typename
}
__typename
}
__typename
}
hasSolutions
mergeRequest {
id
webUrl
state
securityAutoFix
iid
__typename
}
__typename
}
pageInfo {
...PageInfo
__typename
}
__typename
}
__typename
}
}
fragment VulnerabilityFragment on Vulnerability {
id
title
state
severity
detectedAt
vulnerabilityPath
resolvedOnDefaultBranch
userNotesCount
falsePositive @include(if: $vetEnabled)
issueLinks {
nodes {
id
issue {
id
iid
webUrl
webPath
title
state
__typename
}
__typename
}
__typename
}
identifiers {
externalType
name
__typename
}
location {
...VulnerabilityLocation
__typename
}
project {
id
nameWithNamespace
__typename
}
reportType
scanner {
id
vendor
__typename
}
__typename
}
fragment VulnerabilityLocation on VulnerabilityLocation {
... on VulnerabilityLocationClusterImageScanning {
image
kubernetesResource {
agent {
id
name
webPath
__typename
}
__typename
}
__typename
}
... on VulnerabilityLocationContainerScanning {
image
__typename
}
... on VulnerabilityLocationDependencyScanning {
blobPath
file
__typename
}
... on VulnerabilityLocationSast {
blobPath
file
startLine
__typename
}
... on VulnerabilityLocationSecretDetection {
blobPath
file
startLine
__typename
}
... on VulnerabilityLocationDast {
path
__typename
}
__typename
}
fragment PageInfo on PageInfo {
hasNextPage
hasPreviousPage
startCursor
endCursor
__typename
}
Response:
[{
"data": {
"project": {
"id": "gid://gitlab/Project/31048485",
"vulnerabilitySeveritiesCount": {
"critical": 0,
"high": 0,
"info": 0,
"low": 2,
"medium": 0,
"unknown": 0,
"__typename": "VulnerabilitySeveritiesCount"
},
"__typename": "Project"
}
}
}, {
"data": {
"project": {
"id": "gid://gitlab/Project/31048485",
"vulnerabilitySeveritiesCount": {
"critical": 0,
"high": 1,
"info": 0,
"low": 12,
"medium": 0,
"unknown": 0,
"__typename": "VulnerabilitySeveritiesCount"
},
"__typename": "Project"
}
}
}, {
"data": {
"project": {
"id": "gid://gitlab/Project/31048485",
"vulnerabilities": {
"nodes": [null, null, null, null, null, null, null, null, null, null, null, null, null],
"pageInfo": {
"hasNextPage": false,
"hasPreviousPage": false,
"startCursor": "eyJzZXZlcml0eSI6ImhpZ2giLCJ2dWxuZXJhYmlsaXR5X2lkIjoiMjIwODcwMTkifQ",
"endCursor": "eyJzZXZlcml0eSI6ImxvdyIsInZ1bG5lcmFiaWxpdHlfaWQiOiIyMjA4NjkyOCJ9",
"__typename": "PageInfo"
},
"__typename": "VulnerabilityConnection"
},
"__typename": "Project"
}
},
"errors": [{
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}, {
"message": "Cannot return null for non-nullable field Vulnerability.identifiers"
}]
}]
What is the current bug behavior?
Operational vulnerabilities refuse to show.
What is the expected correct behavior?
Operational vulnerabilities should show on the vulnerability report.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
- Remove operational vulnerabilities
(report_type = 7 (cluster_image_scanning))
without finding assigned
SELECT * FROM vulnerabilities v WHERE v."report_type" IN (7, 99) AND NOT EXISTS (SELECT FROM vulnerability_occurrences f WHERE f."vulnerability_id" = v."id");
Implementation plan
-
backend Prepare background migration to remove operational vulnerabilities without assigned finding,
Edited by Dominic Bauer