Add defensive handling in VulnerabilityScanning::Advisory.urls to support both Array and String formats

Albina Yusupovarequested to merge
normalize-advisory-urls into master

What does this MR do and why?

Adds defensive normalization for Advisory URLs to prevent NoMethodError when advisory.urls returns a String instead of an Array.

This MR implements a quick fix for #574045 by normalizing the urls field in the Gitlab::VulnerabilityScanning::Advisory class to handle both PostgreSQL arrays and comma-separated strings.

References

Issue: #574045

Problem

The Gitlab::VulnerabilityScanning::FindingBuilder#links method was failing with:

NoMethodError
undefined method `map' for "{https://nvd.nist.gov/vuln/detail/CVE-2024-57699,https://github.com/advisories/GHSA-pq2g-wx69-c263,https://github.com/netplex/json-smart-v2/issues/232,https://github.com/netplex/json-smart-v2/issues/233,https://github.com/netplex/json-smart-v2/issues/236,https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699,https://github.com/netplex/json-smart-v2,https://github.com/netplex/json-smart-v2/releases/tag/2.5.2,https://nvd.nist.gov/vuln/detail/cve-2023-1370}":String (NoMethodError)

        advisory.urls.map { |url| ::Gitlab::Ci::Reports::Security::Link.new(name: nil, url: url) }
                     ^^^^

This occurred when advisory.urls returned a Postresql comma-separated String instead of an Array, causing the .map call to fail. The error affected 31 users according to Sentry.

Solution

Added a normalize_urls private method in the Gitlab::VulnerabilityScanning::Advisory class that:

  • Passes through Array values unchanged
  • Splits comma-separated String values into an Array
  • Returns an empty array for values that are not String or Array

This approach ensures the system can handle both data formats until the root cause can be properly investigated and resolved.

Screenshots or screen recordings

N/A - Backend fix

Additional context

This is a short-term defensive fix as suggested by @nilieskou (note).

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Albina Yusupova

Merge request reports