500 error on dependencies API
Summary
500 error when accessing https://gitlab.com/api/v4/projects/.../dependencies
REST API
Sentry error: https://new-sentry.gitlab.net/organizations/gitlab/issues/394689/events/d930d4bb28d74c28b47e4e8de4d3e0ef/?project=3
Steps to reproduce
Not sure how to reproduce, but it's happening on https://gitlab.com/api/v4/projects/gitlab-org%2fsecurity-products%2fanalyzers%2fgemnasium/dependencies.
It looks like this is the culprit code:
vuln_params = { name: vulnerabilities['name'], severity: vulnerabilities['severity'].downcase }
vulnerabilities['severity']
doesn't have method downcase
because it's nil
.
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
With the addition of Add service to create vulnerabilities for conti... (!128170 - merged) • Oscar Tovar • 16.4 there can be Vulnerabilities::Finding
records with severity
column set but without it being set as part of the metadata
column which causes the error here.
The following example was extracted from production:
[ gprd ] production> Vulnerabilities::Finding.find(1984925548).metadata['severity']
=> nil
[ gprd ] production> Vulnerabilities::Finding.find(1984925548)['severity']
=> "high"
One possible solution is to add severity
as part of additional_attrs, in order make sure it is set when it gets into formatter. In addition to that, the safety operator could be added as the following:
--- a/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
@@ -38,7 +38,7 @@ def parse_vulnerabilities(report)
next unless dependency
- additional_attrs = { vulnerability_id: finding.vulnerability_id }
+ additional_attrs = { vulnerability_id: finding.vulnerability_id, 'severity' => finding.severity }
additional_attrs['name'] = finding.name unless finding.metadata['name']
diff --git a/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb b/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
index 2c4714a4806b..d6fa93839c2f 100644
--- a/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
@@ -91,7 +91,7 @@ def formatted_dependency_path(dependency_path)
def formatted_vulnerabilities(vulnerabilities)
return [] if vulnerabilities.blank?
- vuln_params = { name: vulnerabilities['name'], severity: vulnerabilities['severity'].downcase }
+ vuln_params = { name: vulnerabilities['name'], severity: vulnerabilities['severity']&.downcase }
id = vulnerabilities[:vulnerability_id]
standalone_vuln_params = { id: id, url: vulnerability_url(id) }
Verification steps
- Navigate through: https://gitlab.com/api/v4/projects/gitlab-org%2fsecurity-products%2fanalyzers%2fgemnasium/dependencies
- Instead of
500
status, it should return status200
with dependency data similar to the following:
dependency data
[
{
"name": "abattis-cantarell-fonts",
"version": "0.0.25",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "abseil",
"version": "20220623.1",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/python:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "acl",
"version": "2.2.53",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/python:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "acl",
"version": "2.3.1",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/python:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "acl",
"version": "2.3.1",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "acl",
"version": "2.2.53",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "acl",
"version": "2.2.53",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "activesupport",
"version": "7.0.7",
"package_manager": "bundler",
"dependency_file_path": "Gemfile.lock",
"vulnerabilities": [
{
"name": "Active Support Possibly Discloses Locally Encrypted Files",
"severity": "unknown",
"id": 91130003,
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/security/vulnerabilities/91130003"
}
],
"licenses": [
{
"name": "MIT",
"url": "https://spdx.org/licenses/MIT.html"
}
]
},
{
"name": "addressable",
"version": "2.8.0",
"package_manager": "bundler",
"dependency_file_path": "Gemfile.lock",
"vulnerabilities": [],
"licenses": [
{
"name": "Apache 2.0",
"url": "https://spdx.org/licenses/Apache-2.0.html"
}
]
},
{
"name": "adduser",
"version": "3.134",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/python:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "adduser",
"version": "3.134",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "adwaita-icon-theme",
"version": "3.28.0",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "alpine-baselayout",
"version": "3.4.3-r1",
"package_manager": "alpine:3.18.4 (apk)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "alpine-keys",
"version": "2.4-r1",
"package_manager": "alpine:3.18.4 (apk)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "alsa-lib",
"version": "1.2.8",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/maven:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "aom",
"version": "3.6.0",
"package_manager": "debian:12.2 (apt)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/python:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "apk-tools",
"version": "2.14.0-r2",
"package_manager": "alpine:3.18.4 (apk)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "appdirs",
"version": "1.4.3",
"package_manager": "pip",
"dependency_file_path": "build/gemnasium-python/requirements.txt",
"vulnerabilities": [],
"licenses": [
{
"name": "MIT",
"url": "https://spdx.org/licenses/MIT.html"
}
]
},
{
"name": "apr",
"version": "1.6.3",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
},
{
"name": "apr-util",
"version": "1.6.1",
"package_manager": "redhat:8.8 (yum)",
"dependency_file_path": "container-image:registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:ec18175e3a533e0a8f07b156e577ba1dbe2de0d5-fips",
"vulnerabilities": [],
"licenses": [
{
"name": "unknown",
"url": null
}
]
}
]
note: There hasn't been any similar failure since the deployment of Uses non-metadata severity (!134782 - merged)