GlobalAdvisoryScanWorker: ArgumentError: Pipeline must have a corresponding user to use as vulnerability author

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

PackageMetadata::GlobalAdvisoryScanWorker (CVS GA) emits ArgumentError with the following error message:

Pipeline must have a corresponding user to use as vulnerability author

https://new-sentry.gitlab.net/organizations/gitlab/issues/463949/?alert_rule_id=18&alert_type=issue&project=3&referrer=slack

This error is recovered and doesn't prevent the scan of other projects affected by the same security advisory. So far it has only occurred 13 times though the worker has handled ~20k SBOM occurrences of more than 10k projects. The impact is thus very limited.

The same issue might affect PackageMetadata::AdvisoryScanWorker (CVS XP) as well. This other worker is very similar but it handles fewer projects than PackageMetadata::GlobalAdvisoryScanWorker, and is less likely to trigger the bug.

Further details

The error is reported by the CreateVulnerabilityService when the pipeline where the SBOM component was detected has no user.

The finder relies on a model scope to fetch SBOM occurrences with pipelines.

Steps to reproduce

Example Project

This has occurred on gitlab.com.

What is the current bug behavior?

Projects that trigger this error not scanned and don't get vulnerabilities.

What is the expected correct behavior?

All projects get vulnerabilities.

Relevant logs and/or screenshots

https://new-sentry.gitlab.net/organizations/gitlab/issues/463949/?alert_rule_id=18&alert_type=issue&project=3&referrer=slack

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

• Change the finder and the scopes of the Sbom::Occurrence model in order to fetch the author of commit, and use it as a fall back when the pipeline has no author. The commit is referenced by the commit_sha attribute of the Sbom::Occurrence model.
• Document this limitation and/or report an error in UI.