Cannot return null for non-nullable field VulnerabilityStateTransitionType.author
Summary
Querying GraphQL for securityReportFinding(uuid: "b9acac57-f917-557d-9f58-84eaad6ec759") returns an error message: "Cannot return null for non-nullable field VulnerabilityStateTransitionType.author".
Originally discovered when investigating a question from @sam.white in an internal slack thread.
Steps to reproduce
- Get access to the example project
- Use https://gitlab.com/-/graphql-explorer with the query below
- Run query
GraphQL Query
query Foo {
project(fullPath: "gitlab-examples/wayne-enterprises/wayne-financial/simple-notes-demo") {
id
pipeline(iid: 610) {
id
securityReportFinding(uuid: "b9acac57-f917-557d-9f58-84eaad6ec759") {
id: uuid
stateComment
dismissedAt
dismissedBy {
id
name
username
webUrl
__typename
}
mergeRequest {
id
iid
webUrl
createdAt
author {
id
name
username
webUrl
__typename
}
__typename
}
issueLinks {
nodes {
id
linkType
issue {
id
iid
webUrl
createdAt
author {
id
name
username
webUrl
__typename
}
__typename
}
__typename
}
__typename
}
vulnerability {
id
stateTransitions(last: 1) {
nodes {
author {
id
name
username
webUrl
__typename
}
createdAt
comment
toState
__typename
}
__typename
}
__typename
}
__typename
}
__typename
}
__typename
}
}Response
{
"data": {
"project": {
"id": "gid://gitlab/Project/40966370",
"pipeline": {
"id": "gid://gitlab/Ci::Pipeline/875270016",
"securityReportFinding": {
"id": "b9acac57-f917-557d-9f58-84eaad6ec759",
"stateComment": null,
"dismissedAt": null,
"dismissedBy": null,
"mergeRequest": null,
"issueLinks": {
"nodes": [],
"__typename": "VulnerabilityIssueLinkConnection"
},
"vulnerability": {
"id": "gid://gitlab/Vulnerability/68068534",
"stateTransitions": {
"nodes": [
null
],
"__typename": "VulnerabilityStateTransitionTypeConnection"
},
"__typename": "Vulnerability"
},
"__typename": "PipelineSecurityReportFinding"
},
"__typename": "Pipeline"
},
"__typename": "Project"
}
},
"errors": [
{
"message": "Cannot return null for non-nullable field VulnerabilityStateTransitionType.author"
}
]
}Example Project
See above. I noticed the error when looking at the MR security widget in https://gitlab.com/gitlab-examples/wayne-enterprises/wayne-financial/simple-notes-demo/-/merge_requests/44. Clicking on the "Fixed" occurrence of CVE-2021-4044 opens a modal with the following error at the bottom "Something went wrong while fetching the finding. Please try again later."
What is the current bug behavior?
The response includes an error
"errors": [
{
"message": "Cannot return null for non-nullable field VulnerabilityStateTransitionType.author"
}
]What is the expected correct behavior?
No errors in response.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Given that this field does not have currently have a not null constraint in the database, and that our GraphQL API style guide for nullable fields says:
In general, you should prefer using nullable fields to non-nullable ones
We should just set this to null: true
- Modify
ee/app/graphql/types/vulnerability/state_transition_type.rband setnull: trueon the:authorfield. - There are other fields in the same file with
null: false-:from_state,:to_stateand:created_at. Consider updating some / all of these at the same time if appropriate.