Timeout on PipelineSecurityReportFinding.uuid
Summary
A customer has reported issues with viewing finding details for certain pipelines.
We managed to track it down to a change made in GitLab 16.3: Rollout of standalone_finding_modal
. Turning this FF off on a test instance running 16.3 resolves the issue, but the FF was cleaned up, and it is not possible to revert to the old behavior.
The exception is:
Timeout on PipelineSecurityReportFinding.uuid
Their report contains a lot of findings: more than 31000, some of them are duplicates that get filtered out when report gets ingested. Only 7705 findings are ingested eventually. The file is a large file, attaching it as an internal note here for GitLab team members to review.
Steps to reproduce
Use the attached report as artifacts:reports:sast
on a test job -> Wait for security tab to get populated with findings -> try previewing any of the findings
Example Project
https://gitlab.com/gl-demo-ultimate-khrechyshkina/tickets/zd518132 (project is private as it contains customer-provided report)
What is the current bug behavior?
Impossible to preview findings anymore for the same report that was working on earlier versions.
What is the expected correct behavior?
It should be possible to view finding details for this report as before.
Relevant logs and/or screenshots
/var/log/gitlab/gitlab-rails/graphql_json.log:{"severity":"ERROR","time":"2024-04-11T14:48:33.692Z","correlation_id":"01HV6T2D6QWTCHGTGADP2EBE9Q","meta.caller_id":"GraphqlController#execute","meta.remote_ip":"192.168.31.34","meta.feature_category":"continuous_integration","meta.user":"root","meta.user_id":1,"meta.client_id":"user/1","meta.artifact_size":72429778,"message":"Timeout on PipelineSecurityReportFinding.uuid","query":"query getSecurityReportFinding($projectFullPath: ID!, $pipelineIid: ID!, $findingUuid: String!) {\n project(fullPath: $projectFullPath) {\n id\n webUrl\n nameWithNamespace\n pipeline(iid: $pipelineIid) {\n id\n securityReportFinding(uuid: $findingUuid) {\n uuid\n title\n description\n descriptionHtml\n state\n severity\n solution\n reportType\n falsePositive\n dismissalReason\n remediations {\n diff\n summary\n __typename\n }\n scanner {\n id\n name\n __typename\n }\n assets {\n name\n url\n __typename\n }\n project {\n id\n name\n webUrl\n nameWithNamespace\n fullPath\n hasJiraVulnerabilityIssueCreationEnabled\n __typename\n }\n evidence {\n summary\n request {\n body\n headers {\n name\n value\n __typename\n }\n method\n url\n __typename\n }\n response {\n body\n reasonPhrase\n statusCode\n headers {\n name\n value\n __typename\n }\n __typename\n }\n supportingMessages {\n name\n response {\n body\n reasonPhrase\n statusCode\n headers {\n name\n value\n __typename\n }\n __typename\n }\n __typename\n }\n source {\n name\n __typename\n }\n __typename\n }\n location {\n ... on VulnerabilityLocationContainerScanning {\n image\n operatingSystem\n __typename\n }\n ... on VulnerabilityLocationSast {\n startLine\n endLine\n file\n blobPath\n __typename\n }\n ... on VulnerabilityLocationDependencyScanning {\n blobPath\n file\n __typename\n }\n ... on VulnerabilityLocationSecretDetection {\n startLine\n endLine\n file\n blobPath\n __typename\n }\n ... on VulnerabilityLocationCoverageFuzzing {\n startLine\n endLine\n file\n blobPath\n crashAddress\n crashType\n stacktraceSnippet\n vulnerableMethod\n vulnerableClass\n __typename\n }\n ... on VulnerabilityLocationDast {\n hostname\n path\n __typename\n }\n __typename\n }\n links {\n name\n url\n __typename\n }\n identifiers {\n name\n url\n externalType\n externalId\n __typename\n }\n issueLinks {\n nodes {\n id\n linkType\n issue {\n id\n iid\n createdAt\n webUrl\n author {\n id\n webUrl\n name\n username\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n details {\n ...NonNestedReportTypes\n ...List\n ...Table\n ...NamedList\n __typename\n }\n dismissedAt\n dismissedBy {\n id\n name\n username\n webUrl\n __typename\n }\n stateComment\n vulnerability {\n id\n userPermissions {\n createVulnerabilityFeedback\n __typename\n }\n externalIssueLinks {\n nodes {\n id\n linkType\n externalIssue {\n externalTracker\n webUrl\n __typename\n }\n __typename\n }\n __typename\n }\n mergeRequest {\n id\n iid\n createdAt\n webUrl\n author {\n id\n webUrl\n name\n username\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment Url on VulnerabilityDetailUrl {\n type: __typename\n name\n href\n}\n\nfragment Diff on VulnerabilityDetailDiff {\n type: __typename\n name\n before\n after\n}\n\nfragment Code on VulnerabilityDetailCode {\n type: __typename\n name\n value\n}\n\nfragment FileLocation on VulnerabilityDetailFileLocation {\n type: __typename\n name\n fileName\n lineStart\n lineEnd\n}\n\nfragment ModuleLocation on VulnerabilityDetailModuleLocation {\n type: __typename\n name\n moduleName\n offset\n}\n\nfragment Commit on VulnerabilityDetailCommit {\n type: __typename\n name\n value\n}\n\nfragment Text on VulnerabilityDetailText {\n type: __typename\n name\n value\n}\n\nfragment Markdown on VulnerabilityDetailMarkdown {\n type: __typename\n name\n value\n}\n\nfragment Boolean on VulnerabilityDetailBoolean {\n type: __typename\n name\n value\n}\n\nfragment Int on VulnerabilityDetailInt {\n type: __typename\n name\n value\n}\n\nfragment NonNestedReportTypes on VulnerabilityDetail {\n ...FileLocation\n ...Url\n ...Diff\n ...Code\n ...Commit\n ...Markdown\n ...Text\n ...Int\n ...Boolean\n ...ModuleLocation\n __typename\n}\n\nfragment ListFields on VulnerabilityDetailList {\n type: __typename\n name\n}\n\nfragment List on VulnerabilityDetailList {\n ...ListFields\n items {\n ...NonNestedReportTypes\n ... on VulnerabilityDetailList {\n ...ListFields\n items {\n ...NonNestedReportTypes\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n}\n\nfragment NamedList on VulnerabilityDetailNamedList {\n type: __typename\n name\n items {\n name\n fieldName\n value {\n ...NonNestedReportTypes\n ...Table\n ... on VulnerabilityDetailList {\n ...ListFields\n items {\n ...NonNestedReportTypes\n __typename\n }\n __typename\n }\n __typename\n }\n __typename\n }\n}\n\nfragment TableFields on VulnerabilityDetailTable {\n type: __typename\n name\n headers {\n ...NonNestedReportTypes\n __typename\n }\n rows {\n row {\n ...NonNestedReportTypes\n __typename\n }\n __typename\n }\n}\n\nfragment Table on VulnerabilityDetailTable {\n type: __typename\n name\n headers {\n ...NonNestedReportTypes\n __typename\n }\n rows {\n row {\n ...NonNestedReportTypes\n ...TableFields\n __typename\n }\n __typename\n }\n}\n","query_variables":{"projectFullPath":"root/zd-customer","pipelineIid":2,"findingUuid":"530ec990-bd36-5803-9363-dff52154daed"}}
Output of checks
This bug happens on GitLab.com