Fix ArgumentError in PackageMetadata::GlobalAdvisoryScanWorker for non-default branch contexts

Summary

Production exception occurring in PackageMetadata::GlobalAdvisoryScanWorker when processing SBOM occurrences from pipelines on non-default branches that don't have a tracked context created yet.

Error Details 

ArgumentError: Expected context to already exist for non-default branches

Backtrace:

ee/app/services/security/ingestion/tracked_context_finder.rb:22:in `find_or_create_context'
ee/app/services/security/ingestion/tracked_context_finder.rb:9:in `find_or_create_from_pipeline'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:166:in `tracked_context'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:102:in `block in bulk_vulnerability_ingestion'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:84:in `each'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:84:in `filter_map'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:84:in `bulk_vulnerability_ingestion'
ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb:44:in `block (2 levels) in execute'
ee/app/finders/sbom/possibly_affected_occurrences_finder.rb:22:in `block in execute_in_batches'

Root Cause

The Security::ProjectTrackedContexts::FindOrCreateService is designed to only create tracked contexts for default branches. When called with a non-default branch (via from_pipeline), it expects the context to already exist and raises an ArgumentError if it doesn't.

In the advisory scanner flow:

  1. AdvisoryScanner#bulk_vulnerability_ingestion processes SBOM occurrences
  2. For each occurrence, it calls tracked_context(affected_component.pipeline) (line 102)
  3. This calls TrackedContextFinder#find_or_create_from_pipeline (line 166)
  4. Which calls FindOrCreateService.from_pipeline(pipeline).execute (line 19)
  5. If the pipeline is on a non-default branch and no tracked context exists, the service returns an error
  6. The error is raised as an ArgumentError at line 22 of tracked_context_finder.rb

Impact

  • Production worker failures in PackageMetadata::GlobalAdvisoryScanWorker
  • Advisory scanning cannot complete for projects with SBOM occurrences from non-default branches
  • Potential security vulnerabilities not being detected and reported for non-default branches

Proposed Solution

The advisory scanner needs to handle cases where tracked contexts don't exist for non-default branches. Options include:

  1. Skip occurrences without tracked contexts: Modify AdvisoryScanner#bulk_vulnerability_ingestion to gracefully handle when tracked_context returns nil or fails
  2. Create contexts for non-default branches: Update the logic to allow creating tracked contexts for non-default branches in this flow (may require broader architectural discussion)
  3. Filter occurrences earlier: Only process SBOM occurrences from pipelines that have tracked contexts
  4. Handle the error gracefully: Catch the ArgumentError and log/skip the occurrence rather than failing the entire worker

The solution should consider:

  • The intended behavior for vulnerabilities on non-default branches in the advisory scanning context
  • Whether the set_tracked_context_during_ingestion feature flag affects this behavior
  • Alignment with the broader "Vulnerabilities Across Multiple Branches" initiative

Related

  • Parent Epic: #18375 (Vulnerabilities Across Multiple Branches Iteration 1 - System Changes)
  • Related to tracked context feature rollout
  • May be related to #577338 (tracking default context branch name changes)
Edited by 🤖 GitLab Bot 🤖