Skip to content

NoMethodError: undefined method 'map' for String in FindingBuilder#links when advisory.urls is a String

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

The Gitlab::VulnerabilityScanning::FindingBuilder#links method is failing with a NoMethodError when advisory.urls returns a String instead of an Array. This appears to be related to data inconsistency in the pm_advisories table where the urls column is sometimes stored as a comma-separated String rather than a proper array.

Error Details

NoMethodError
undefined method `map' for "{https://nvd.nist.gov/vuln/detail/CVE-2024-57699,https://github.com/advisories/GHSA-pq2g-wx69-c263,https://github.com/netplex/json-smart-v2/issues/232,https://github.com/netplex/json-smart-v2/issues/233,https://github.com/netplex/json-smart-v2/issues/236,https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699,https://github.com/netplex/json-smart-v2,https://github.com/netplex/json-smart-v2/releases/tag/2.5.2,https://nvd.nist.gov/vuln/detail/cve-2023-1370}":String (NoMethodError)

        advisory.urls.map { |url| ::Gitlab::Ci::Reports::Security::Link.new(name: nil, url: url) }
                     ^^^^
Did you mean?  tap

advisory.urls.map { |url| ::Gitlab::Ci::Reports::Security::Link.new(name: nil, url: url) }

Location: [ee/lib/gitlab/vulnerability_scanning/finding_builder.rb:161](https://gitlab.com/gitlab-org/gitlab/-/blob/44fa95a06609fbf49d28449a15568b38b9a2d2c5/ee/lib/gitlab/vulnerability_scanning/finding_builder.rb#L161)

Sentry Link: https://new-sentry.gitlab.net/organizations/gitlab/issues/1992299/events/730262a7fcaa4f319b19703653c018cc

Root Cause Investigation Needed

  1. Database Schema: Verify the column type for pm_advisories.urls
  2. Data Inconsistency: Check if there are advisories with String-formatted urls
  3. Import Process: Investigate if older advisory import processes stored urls differently than current ones

Proposed Solution

Short-term Fix

Add defensive handling in FindingBuilder#links to support both Array and String formats

Long-term Fix (Data Migration)

  1. Identify all advisories with String-formatted urls
  2. Create a background migration to convert String urls to proper Arrays
  3. Add database constraint to ensure urls is always an array type
  4. Investigate and fix the import process that's creating String urls
Edited by 🤖 GitLab Bot 🤖