Operational vulnerabilities fail to load: Cannot return null for non-nullable field Vulnerability.identifiers

Summary

Operational vulnerabilities are currently failing to load with this error from GraphQL: Cannot return null for non-nullable field Vulnerability.identifiers

Steps to reproduce

Go to https://gitlab.com/gitlab-org/protect/demos/agent-cluster-image-scanning-demo/-/security/vulnerability_report/?tab=OPERATIONAL
Report fails to load with error:

Query:

query projectVulnerabilities($fullPath: ID!, $before: String, $after: String, $first: Int = 20, $last: Int, $severity: [VulnerabilitySeverity!], $reportType: [VulnerabilityReportType!], $scanner: [String!], $scannerId: [VulnerabilitiesScannerID!], $state: [VulnerabilityState!], $sort: VulnerabilitySort, $hasIssues: Boolean, $hasResolution: Boolean, $includeExternalIssueLinks: Boolean = false, $vetEnabled: Boolean = false, $clusterAgentId: [ClustersAgentID!]) {
  project(fullPath: $fullPath) {
    id
    vulnerabilities(
      before: $before
      after: $after
      first: $first
      last: $last
      severity: $severity
      reportType: $reportType
      scanner: $scanner
      scannerId: $scannerId
      state: $state
      sort: $sort
      hasIssues: $hasIssues
      hasResolution: $hasResolution
      clusterAgentId: $clusterAgentId
    ) {
      nodes {
        ...VulnerabilityFragment
        externalIssueLinks @include(if: $includeExternalIssueLinks) {
          nodes {
            id
            issue: externalIssue {
              externalTracker
              webUrl
              title
              iid: relativeReference
              __typename
            }
            __typename
          }
          __typename
        }
        hasSolutions
        mergeRequest {
          id
          webUrl
          state
          securityAutoFix
          iid
          __typename
        }
        __typename
      }
      pageInfo {
        ...PageInfo
        __typename
      }
      __typename
    }
    __typename
  }
}

fragment VulnerabilityFragment on Vulnerability {
  id
  title
  state
  severity
  detectedAt
  vulnerabilityPath
  resolvedOnDefaultBranch
  userNotesCount
  falsePositive @include(if: $vetEnabled)
  issueLinks {
    nodes {
      id
      issue {
        id
        iid
        webUrl
        webPath
        title
        state
        __typename
      }
      __typename
    }
    __typename
  }
  identifiers {
    externalType
    name
    __typename
  }
  location {
    ...VulnerabilityLocation
    __typename
  }
  project {
    id
    nameWithNamespace
    __typename
  }
  reportType
  scanner {
    id
    vendor
    __typename
  }
  __typename
}

fragment VulnerabilityLocation on VulnerabilityLocation {
  ... on VulnerabilityLocationClusterImageScanning {
    image
    kubernetesResource {
      agent {
        id
        name
        webPath
        __typename
      }
      __typename
    }
    __typename
  }
  ... on VulnerabilityLocationContainerScanning {
    image
    __typename
  }
  ... on VulnerabilityLocationDependencyScanning {
    blobPath
    file
    __typename
  }
  ... on VulnerabilityLocationSast {
    blobPath
    file
    startLine
    __typename
  }
  ... on VulnerabilityLocationSecretDetection {
    blobPath
    file
    startLine
    __typename
  }
  ... on VulnerabilityLocationDast {
    path
    __typename
  }
  __typename
}

fragment PageInfo on PageInfo {
  hasNextPage
  hasPreviousPage
  startCursor
  endCursor
  __typename
}

Response:

[{
  "data": {
    "project": {
      "id": "gid://gitlab/Project/31048485",
      "vulnerabilitySeveritiesCount": {
        "critical": 0,
        "high": 0,
        "info": 0,
        "low": 2,
        "medium": 0,
        "unknown": 0,
        "__typename": "VulnerabilitySeveritiesCount"
      },
      "__typename": "Project"
    }
  }
}, {
  "data": {
    "project": {
      "id": "gid://gitlab/Project/31048485",
      "vulnerabilitySeveritiesCount": {
        "critical": 0,
        "high": 1,
        "info": 0,
        "low": 12,
        "medium": 0,
        "unknown": 0,
        "__typename": "VulnerabilitySeveritiesCount"
      },
      "__typename": "Project"
    }
  }
}, {
  "data": {
    "project": {
      "id": "gid://gitlab/Project/31048485",
      "vulnerabilities": {
        "nodes": [null, null, null, null, null, null, null, null, null, null, null, null, null],
        "pageInfo": {
          "hasNextPage": false,
          "hasPreviousPage": false,
          "startCursor": "eyJzZXZlcml0eSI6ImhpZ2giLCJ2dWxuZXJhYmlsaXR5X2lkIjoiMjIwODcwMTkifQ",
          "endCursor": "eyJzZXZlcml0eSI6ImxvdyIsInZ1bG5lcmFiaWxpdHlfaWQiOiIyMjA4NjkyOCJ9",
          "__typename": "PageInfo"
        },
        "__typename": "VulnerabilityConnection"
      },
      "__typename": "Project"
    }
  },
  "errors": [{
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }, {
    "message": "Cannot return null for non-nullable field Vulnerability.identifiers"
  }]
}]

What is the current bug behavior?

Operational vulnerabilities refuse to show.

What is the expected correct behavior?

Operational vulnerabilities should show on the vulnerability report.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Remove operational vulnerabilities (report_type = 7 (cluster_image_scanning)) without finding assigned

SELECT * FROM vulnerabilities v WHERE v."report_type" IN (7, 99) AND NOT EXISTS (SELECT FROM vulnerability_occurrences f WHERE f."vulnerability_id" = v."id");

Implementation plan

backend Prepare background migration to remove operational vulnerabilities without assigned finding,

Edited Sep 14, 2022 by Dominic Bauer