Shortest path not displayed in vulnerability page

Summary

In the Evidence section of the vulnerability page showing a Dependency Scanning vulnerability with dependency path information,

Shortest path has no value.
Introduced by package is missing.
Vulnerable Package is missing.

Steps to reproduce

Create a project.
Add dependencies to the default branch using of the package managers listed in https://docs.gitlab.com/ee/user/application_security/dependency_list/#dependency-paths, including one that matches vulnerabilities of https://gitlab.com/gitlab-org/security-products/gemnasium-db.
Set up Dependency Scanning.
Go to the vulnerability report, click on one of the Dependency Scanning vulnerabilities, and check the Evidence section at the bottom of the page.

Example Project

https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009363

What is the current bug behavior?

Shortest path has no value.
Introduced by package is missing.
Vulnerable Package is missing.

What is the expected correct behavior?

The Evidence section has the following fields along with values:

Shortest path
Introduced by package
Vulnerable Package

Relevant logs and/or screenshots

See https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009363

Here's the vulnerability details field of the corresponding JSON object, extracted from the report:

{
      "details": {
        "introduced_by_package": {
          "type": "text",
          "name": "Introduced by Package",
          "value": "coveralls:3.0.0"
        },
        "shortest_path": {
          "type": "list",
          "name": "Shortest Path",
          "items": [
            {
              "type": "text",
              "value": "coveralls:3.0.0"
            },
            {
              "type": "text",
              "value": "log-driver:1.2.6"
            },
            {
              "type": "text",
              "value": "codecov.io:0.0.1"
            },
            {
              "type": "text",
              "value": "request:2.42.0"
            },
            {
              "type": "text",
              "value": "hawk:1.1.1"
            }
          ]
        },
        "vulnerable_package": {
          "type": "text",
          "name": "Vulnerable Package",
          "value": "cryptiles:0.2.2"
        }
      }
}

Output of checks

This bug happens on GitLab.com:

GitLab Enterprise Edition 16.8.0-pre 4518fac5

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Jan 18, 2024 by Fabien Catteau