GlobalAdvisoryScanWorker: undefined method `user' when pipeline is nil

Summary

Advisory scan jobs fails when the pipeline of a Sbom::Occurrence is nil.

See https://new-sentry.gitlab.net/organizations/gitlab/issues/532973

NoMethodError: undefined method `user' for nil:NilClass

        return unless pipeline.user.nil?
                              ^^^^^

Further details

This bug occurs because the VulnerabilityScanning::FindingBuilder assumes that a SBOM occurrence always has a pipeline.

See https://gitlab.com/gitlab-org/gitlab/-/blob/6dca74e11269542703f864d1124c10f6aa10a746/ee/lib/gitlab/vulnerability_scanning/finding_builder.rb#L86

      def validate!
        raise ArgumentError, 'Missing sbom source argument' if sbom_source.nil?

        return unless pipeline.user.nil?

        raise ArgumentError, 'Pipeline must have a corresponding user to use as vulnerability author'
      end

However, advisory scans rely on an ActiveRecord scope that doesn't filter out SBOM occurrences that don't have a pipeline.

See https://gitlab.com/gitlab-org/gitlab/-/blob/3ae195da5d22d5554e484022934d92120c2ea0c8/ee/app/models/sbom/occurrence.rb#L104

    scope :with_component_source_version_project_and_pipeline, -> do
      includes(:component, :source, :component_version, :project).preload(:pipeline)
    end

SBOM occurrences don't necessarily have a pipeline. See DB schema.

Steps to reproduce

Example Project

This has occurred at least once on production. See See https://new-sentry.gitlab.net/organizations/gitlab/issues/532973

What is the current bug behavior?

The scanning job fails.

What is the expected correct behavior?

The error is recovered, and the scanning job continues.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

• Update FindingBuilder#validate! to raise a recoverable ArgumentError when there is no pipeline. This must occur before checking pipeline.user.

     def validate!
       raise ArgumentError, 'Missing sbom source argument' if sbom_source.nil?
  
       raise ArgumentError, 'SBOM occurrence must have a pipeline' if pipeline.nil?
  
       return unless pipeline.user.nil?
  
       raise ArgumentError, 'Pipeline must have a corresponding user to use as vulnerability author'
     end

• Update the finder and/or the scope it relies on to exclude SBOM occurrences that don't have pipelines. However, this wouldn't be consistent with what's been implemented in GlobalAdvisoryScanWorker: undefined method `inp... (#432875 - closed) and how errors are recovered right now.

Proposal

Update the FindingBuilder#validate! to raise a recoverable ArgumentError when there is no pipeline.

Implementation plan

• Update the FindingBuilder#validate! to raise a recoverable ArgumentError when there is no pipeline.
• Add spec.
• Resolve https://new-sentry.gitlab.net/organizations/gitlab/issues/532973/.