TypeError: String does not have #dig method when accessing vulnerability location data

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

When retrieving vulnerabilities via GraphQL, a TypeError: String does not have #dig method is raised if a vulnerability's location data is returned as a string instead of a hash. This causes the vulnerability report page to return HTTP 500 errors.

The schema for location is defined here.

This issue was encountered after a customer's PowerShell script set the location as follows:

location    = [pscustomobject]@{
            file   = $([string]::Concat($($vulnerabilities[$i].ScriptName), '-' , $($vulnerabilities[$i].Line)))
        }

Root Cause

In ee/app/models/vulnerabilities/finding.rb:229, the sha method calls dig on the location data:

def sha location.dig(...) end

Expected Behaviour

The Vulnerability::Finding should gracefully handle or normalize the data format of the location field.

Validation should be in place for the location field during ingestion.

Edited Nov 04, 2025 by Harrison Peters