SAST report schema requirements differ from GraphQL

Summary

The SAST report schema does not list line_end as a required field, however the GraphQL type VulnerabilityDetailFileLocation has this defined as null: false

As a result when you click on the Description of a vulnerability you get an error - There was an error fetching the finding. Please try again.

Steps to reproduce

1. Create the following files on a branch in a project:

.gitlab-ci.yml

inject-scanner-result:
  image: alpine:latest
  script:
    - echo hello
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  artifacts:
    access: 'developer'
    reports:
      sast: report.json

badfile.java

public class HelloWorld {
    
    // Your program begins with a call to main()
    public static void main(String[] args)
    {
        // Prints "Hello, World" to the terminal window.
        System.out.println("Hello, World");
    }
}

report.json

{
    "schema" : "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.2.1/dist/sast-report-format.json",
    "version" : "15.2.1",
    "scan" : {
      "start_time" : "2025-08-26T07:22:34",
      "end_time" : "2025-08-26T07:22:34",
      "status" : "success",
      "type" : "sast",
      "analyzer" : {
        "id" : "a-scanner",
        "name" : "a-scanner",
        "url" : "http://localhost",
        "version" : "a-scanner 24.4.0.0114",
        "vendor" : {
          "name" : "a-scanner"
        }
      },
      "scanner" : {
        "id" : "a-scanner",
        "name" : "a-scanner",
        "url" : "http://localhost",
        "version" : "a-scanner 24.4.0.0114",
        "vendor" : {
          "name" : "a-scanner"
        }
      }
    },
    "vulnerabilities" : [ {
      "id" : "75902740EE5E24B494C2F497899A77E5",
      "category" : "sast",
      "name" : "SQL Injection",
      "message" : "SQL Injection",
      "description" : "badfile.java is bad.",
      "cve" : "N/A",
      "severity" : "Low",
      "confidence" : "Low",
      "solution" : "make it less bad",
      "scanner" : {
        "id" : "a-scanner",
        "name" : "a-scanner"
      },
      "identifiers" : [ {
        "name" : "Instance id: 75902740EE5E24B494C2F497899A77E5",
        "type" : "issueInstanceId",
        "value" : "75902740EE5E24B494C2F497899A77E5",
        "url" : "http://localhost"
      } ],
      "links" : [ {
        "name" : "link1",
        "url" : "http://localhost"
      }, {
        "name" : "link2",
        "url" : "http://localhost"
      } ],
      "location" : {
        "file" : "badfile.java",
        "start_line" : 7
      },
      "details" : {
        "code_flows" : {
          "name" : "Code Flows",
          "type" : "code-flows",
          "items" : [ [ {
            "type" : "code-flow-node",
            "node_type" : "source",
            "file_location" : {
              "type" : "file-location",
              "file_name" : "badfile.java",
              "line_start" : 7
            }
          } ] ]
        }
      }
    }]
}

2. Push the branch
3. Create an MR for the branch and wait for the pipeline/security processor to run
4. Click in to View all pipeline findings once the widget loads
5. Click SQL Injection under the description column

Example Project

• https://gitlab.com/simonstreet_ultimate_group/public/zd-652045/-/tree/test
• https://gitlab.com/simonstreet_ultimate_group/public/zd-652045/-/pipelines/2011416487/security

What is the current bug behavior?

Unable to view the bug detail

What is the expected correct behavior?

Be able to view the bug detail

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Allow line_end to be null in the GraphQL?

I suspect changes to the schema will also need some kind of background job to backfill the database for the records that already exist without it.

Patch release information for backports

If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.

Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.

High-severity bug remediation

To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.