Make FileLocationType.endLine nullable
What does this MR do and why?
This graphql schema is not aligned with our input validation, which expects that this field may be nullable. A file location with no endLine indicates a one-line issue. The frontend already expects that this field is nullable. This fixes a bug where the graphql query may error if there if a vulnerability that has file location details with no end line.
References
- Fixes: #566566 (closed)
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Create the following files on a branch in a project:
.gitlab-ci.yml
inject-scanner-result:
image: alpine:latest
script:
- echo hello
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
artifacts:
access: 'developer'
reports:
sast: report.json
badfile.java
public class HelloWorld {
// Your program begins with a call to main()
public static void main(String[] args)
{
// Prints "Hello, World" to the terminal window.
System.out.println("Hello, World");
}
}
report.json
{
"schema" : "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.2.1/dist/sast-report-format.json",
"version" : "15.2.1",
"scan" : {
"start_time" : "2025-08-26T07:22:34",
"end_time" : "2025-08-26T07:22:34",
"status" : "success",
"type" : "sast",
"analyzer" : {
"id" : "a-scanner",
"name" : "a-scanner",
"url" : "http://localhost",
"version" : "a-scanner 24.4.0.0114",
"vendor" : {
"name" : "a-scanner"
}
},
"scanner" : {
"id" : "a-scanner",
"name" : "a-scanner",
"url" : "http://localhost",
"version" : "a-scanner 24.4.0.0114",
"vendor" : {
"name" : "a-scanner"
}
}
},
"vulnerabilities" : [ {
"id" : "75902740EE5E24B494C2F497899A77E5",
"category" : "sast",
"name" : "SQL Injection",
"message" : "SQL Injection",
"description" : "badfile.java is bad.",
"cve" : "N/A",
"severity" : "Low",
"confidence" : "Low",
"solution" : "make it less bad",
"scanner" : {
"id" : "a-scanner",
"name" : "a-scanner"
},
"identifiers" : [ {
"name" : "Instance id: 75902740EE5E24B494C2F497899A77E5",
"type" : "issueInstanceId",
"value" : "75902740EE5E24B494C2F497899A77E5",
"url" : "http://localhost"
} ],
"links" : [ {
"name" : "link1",
"url" : "http://localhost"
}, {
"name" : "link2",
"url" : "http://localhost"
} ],
"location" : {
"file" : "badfile.java",
"start_line" : 7
},
"details" : {
"code_flows" : {
"name" : "Code Flows",
"type" : "code-flows",
"items" : [ [ {
"type" : "code-flow-node",
"node_type" : "source",
"file_location" : {
"type" : "file-location",
"file_name" : "badfile.java",
"line_start" : 7
}
} ] ]
}
}
}]
}
- Push the branch
- Create an MR for the branch and wait for the pipeline/security processor to run
- Click in to
View all pipeline findingsonce the widget loads - Click
SQL Injectionunder the description column
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Brian Williams