Duo fails to handle "CRLF" line breaks for Vulnerability Resolution
Summary
When attempting to automatically fix vulnerabilities using Resolve with AI, if the vulnerability-containing file uses CRLF line breaks, it will prevent the successful creation of the MR, with no specific error reason displayed.
It’s easy to trigger since CRLF is the default line break for the
Steps to reproduce
-
Enable the SAST vulnerability scanning feature for the test project. Default configurations are sufficient—just ensure vulnerabilities can be detected.
-
Create a code file with vulnerabilities and set its line breaks to
CRLF👇 
-
Click
Resolve with AIin the scanned vulnerability report, and you will see the error message.
Example Project
https://gitlab.com/test-group-v2/test-duo-about-vulnerability/-/security/vulnerabilities/235913434
What is the current bug behavior?
The Resolve with AI function in the vulnerability report is throwing an error.
What is the expected correct behavior?
In the vulnerability report, the Resolve with AI function can normally create a fix MR.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Just SaaS gitlab.com (GitLab Enterprise Edition 18.6.0-pre af294799)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
I'm not sure how to fix this yet, but I've identified the root cause: when the file uses CRLF line endings (represented by the character sequence \r\n), the code returned by the AI model always uses \n instead. This mismatch prevents the generation of a valid git diff patch.
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.