GraphQL API dismissalReason field always returns null for dismissed vulnerabilities despite proper enum definition in schema
Summary
GraphQL API dismissalReason field always returns null for dismissed vulnerabilities despite proper enum definition in schema
Steps to reproduce
- Dismiss any vulnerability in GitLab UI with a dismissal reason (e.g., "Mitigating Control")
- Query the vulnerability using GraphQL API:
{ project(fullPath: "project/path") { vulnerabilities(state: DISMISSED) { nodes { id dismissalReason stateComment } } } } - Observe that
dismissalReasonis null for all dismissed vulnerabilities
Example Project
This issue can be reproduced on any project with dismissed vulnerabilities on GitLab.com
What is the current bug behavior?
-
dismissalReasonfield always returnsnull - The dismissal reason text appears only in
stateCommentfield - System notes contain the full information: "changed vulnerability status to Dismissed: Mitigating Control with the following comment: [user comment]"
What is the expected correct behavior?
dismissalReason field should return the appropriate VulnerabilityDismissalReason enum value:
- ACCEPTABLE_RISK
- FALSE_POSITIVE
- MITIGATING_CONTROL
- USED_IN_TESTS
- NOT_APPLICABLE
Relevant logs and/or screenshots
GraphQL introspection confirms the enum exists:
{
"__type": {
"kind": "ENUM",
"enumValues": [
{"name": "MITIGATING_CONTROL", "description": "A management, operational..."},
{"name": "FALSE_POSITIVE", "description": "An error in reporting..."},
// ... other values
]
}
}Example API response showing the issue:
{
"vulnerability": {
"id": "gid://gitlab/Vulnerability/1111111",
"dismissalReason": null, // <-- Should be "MITIGATING_CONTROL"
"stateComment": "This function is protected by ensuring it's only reading an entity generated in the specific entity directory."
}
}Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
N/A - GitLab.com SaaS
Results of GitLab application Check
Expand for output related to the GitLab application check
N/A - GitLab.com SaaS
Possible fixes
The dismissal reason enum value is not being mapped from the backend to the GraphQL field. The data exists (visible in system notes) but isn't exposed through the dismissalReason field.
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers. Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.