Personal Security Dashboard "Vulnerabilities over time" empty statistics

Summary

Issue created based on an internal discussion on Slack.

The "Vulnerabilities over time" graph does not show any statistics for the personal Security Dashboard.

By comparison, the Group Security Dashboard shows the correct statistics in the "Vulnerabilities over time" graph.

vulnerabilitiesCountByDay field for instanceVulnerabilityHistory is returning null:

{"data":{"vulnerabilitiesCountByDay":null}}

Investigation

The vulnerabilities are accessed via vulnerabilities field for instanceVulnerabilityHistory:

query instanceVulnerabilityHistory {
  vulnerabilities {
    nodes {
      id
    }
  }
}

I can reproduce the aggregated output the GraphQL resolver returns in the Rails console if I ensure the vulnerable variable is of InstanceSecurityDashboard type:

irb(main):001:0> current_user = User.find(1)
irb(main):003:0> vulnerable = ::InstanceSecurityDashboard.new(current_user)
irb(main):024:0>   vulnerable.vulnerability_historical_statistics.grouped_by_date.aggregated_by_date.index_by(&:date).then { |calendar_entries| pp  calendar_entries }
{Mon, 24 Jul 2023=>
  #<Vulnerabilities::HistoricalStatistic:0x00007fb8a267fbf8
   id: nil,
   total: 22,
   critical: 1,
   high: 9,
   medium: 10,
   low: 2,
   unknown: 0,
   info: 0,
   date: Mon, 24 Jul 2023>}
=>
{Mon, 24 Jul 2023=>
  #<Vulnerabilities::HistoricalStatistic:0x00007fb8a267fbf8
   id: nil,
   total: 22,
   critical: 1,
   high: 9,
   medium: 10,
   low: 2,
   unknown: 0,
   info: 0,
   date: Mon, 24 Jul 2023>}

The problem could be that vulnerable is nil, so [] is returned: https://gitlab.com/gitlab-org/gitlab/-/blob/3ed985afff1c54c4d1d9f838d9ef940d4ddb80f7/ee/app/graphql/resolvers/vulnerabilities_base_resolver.rb#L22-29

Steps to reproduce

  1. Create a group and a project
  2. Create a CI/CD pipeline with scans that produces vulnerabilities
  3. Wait for the Vulnerabilities::Statistics::ScheduleWorker to run, or run manually if self-managed
  4. View the group's Security Dashboard, confirm the "Vulnerabilities over time" chart populates
  5. View your personal Security Dashboard.
  6. Track the project that ran the pipeline.
  7. View your personal Security Dashboard and confirm the "Vulnerabilities over time" chart

Example Project

What is the current bug behavior?

The "Vulnerabilities over time" chart is empty in the personal Security Dashboard. The instanceVulnerabilityHistory GraphQL operation returns null.

What is the expected correct behavior?

The "Vulnerabilities over time" chart is contains the statistics for the tracked projects.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Michael Trainor