SonarQube 10.3 Developer - Impossible to perform synchronization of changed Gitlab vulnerabilities

I just upgraded to 10.3 Developer Edition from 10.2.1 and a new warning is popping up.

“Impossible to perform synchronization of changed Gitlab vulnerabilities with SonarQube issues”

The instance is integrated with an on-prem GitLab instance, version16.3.

Screenshot 2023-11-17 at 08.58.011894×786 45.7 KB

Hey there.

Hm… that’s not a very helpful error message.

This is a new feature – I’m not totally sure how to debug it. I would suggest:

• Raising the log level in global Administration > System > Log Level
• Checking your ce.log file after an analysis that raises this warning

This should reveal more about why it was impossible to synchronize vulnerabilities.

I’m assuming ce.log is compute engine log

Screenshot 2023-11-17 at 16.56.251110×428 28.3 KB

There are a couple of exceptions in the logs. Is this helpful or would you need more info?

2023.11.17 15:57:50 WARN  ce[AYveAK2KvboKOgn-n9nQ][com.A.B.B.A] Cannot access GitLab to get vulnerabilities for project 119. Error: The GraphQl answer contains errors: [{message=No such type Vulnerability, so it can't be a fragment condition, locations=[{line=1.0, column=1.0}], path=[fragment Vulnerability], extensions={code=undefinedType, typeName=Vulnerability}}, {message=Field 'vulnerabilities' doesn't exist on type 'Project', locations=[{line=25.0, column=13.0}], path=[query, projects, nodes, vulnerabilities], extensions={code=undefinedField, typeName=Project, fieldName=vulnerabilities}}, {message=Variable $scannerId is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=scannerId}}, {message=Variable $cursor is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=cursor}}]
2023.11.17 15:57:50 DEBUG ce[AYveAK2KvboKOgn-n9nQ][com.A.B.B.A] Cannot access GitLab to get vulnerabilities for project 119. Error: The GraphQl answer contains errors: [{message=No such type Vulnerability, so it can't be a fragment condition, locations=[{line=1.0, column=1.0}], path=[fragment Vulnerability], extensions={code=undefinedType, typeName=Vulnerability}}, {message=Field 'vulnerabilities' doesn't exist on type 'Project', locations=[{line=25.0, column=13.0}], path=[query, projects, nodes, vulnerabilities], extensions={code=undefinedField, typeName=Project, fieldName=vulnerabilities}}, {message=Variable $scannerId is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=scannerId}}, {message=Variable $cursor is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=cursor}}]
java.lang.IllegalStateException: The GraphQl answer contains errors: [{message=No such type Vulnerability, so it can't be a fragment condition, locations=[{line=1.0, column=1.0}], path=[fragment Vulnerability], extensions={code=undefinedType, typeName=Vulnerability}}, {message=Field 'vulnerabilities' doesn't exist on type 'Project', locations=[{line=25.0, column=13.0}], path=[query, projects, nodes, vulnerabilities], extensions={code=undefinedField, typeName=Project, fieldName=vulnerabilities}}, {message=Variable $scannerId is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=scannerId}}, {message=Variable $cursor is declared by anonymous query but not used, locations=[{line=22.0, column=1.0}], path=[query], extensions={code=variableNotUsed, variableName=cursor}}]
	at com.sonarsource.G.C.A(Unknown Source)
	at com.sonarsource.G.C.A(Unknown Source)
	at com.sonarsource.G.C.A(Unknown Source)
	at com.A.B.B.A.A(Unknown Source)
	at com.A.B.B.A.B(Unknown Source)
	at com.A.B.A.B.A.A.F(Unknown Source)
	at com.A.B.A.B.A.A.A(Unknown Source)
	at java.base/java.util.Optional.map(Unknown Source)
	at com.A.B.A.B.A.A.D(Unknown Source)
	at com.A.B.A.B.A.A.C(Unknown Source)
	at com.A.B.D.A.onCheck(Unknown Source)
	at org.sonar.ce.task.projectanalysis.measure.PreMeasuresComputationChecksStep.execute(PreMeasuresComputationChecksStep.java:54)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeStep(ComputationStepExecutor.java:79)
	at org.sonar.ce.task.step.ComputationStepExecutor.executeSteps(ComputationStepExecutor.java:70)
	at org.sonar.ce.task.step.ComputationStepExecutor.execute(ComputationStepExecutor.java:57)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
2023.11.17 15:57:50 WARN  ce[AYveAK2KvboKOgn-n9nQ][com.A.B.D.A] Impossible to perform synchronization of changed Gitlab vulnerabilities with SonarQube issues
java.lang.IllegalStateException: SonarQube was not able to retrieve resources from GitLab. This is likely due to a connectivity problem or a temporary network outage
	at com.A.B.B.A.<clinit>(Unknown Source)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)
	at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:211)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:117)
	at org.springframework.beans.factory.support.ConstructorResolver.lambda$instantiate$0(ConstructorResolver.java:307)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:306)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:296)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1609)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1573)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1439)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1349)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:283)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1609)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1573)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1439)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1349)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311)
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887)
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791)
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:229)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:233)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveNamedBean(DefaultListableBeanFactory.java:1284)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveNamedBean(DefaultListableBeanFactory.java:1245)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveBean(DefaultListableBeanFactory.java:494)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:349)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:342)
	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1174)
	at org.sonar.core.platform.SpringComponentContainer.getComponentByType(SpringComponentContainer.java:150)
	at org.sonar.ce.task.projectanalysis.taskprocessor.ReportTaskProcessor.process(ReportTaskProcessor.java:75)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.executeTask(CeWorkerImpl.java:212)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$ExecuteTask.run(CeWorkerImpl.java:194)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.findAndProcessTask(CeWorkerImpl.java:160)
	at org.sonar.ce.taskprocessor.CeWorkerImpl$TrackRunningState.get(CeWorkerImpl.java:135)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:87)
	at org.sonar.ce.taskprocessor.CeWorkerImpl.call(CeWorkerImpl.java:53)
	at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
	at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75)
	at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)

This is helpful and I will ping the relevant team.

Hello @Manuel_Lazzari thanks for reporting this.
Are you using in your GitLab setup the Vulnerability Report?

From the logs, I can see that SonarQube is not able to fetch the results from this vulnerability report.
This means that if you update the status of the issues on the GitLab vulnerability report, that status is not being propagated to SonarQube.

If you are not using the GitLab vulnerability report this warning has no impact at all, we will check with the team how to reproduce locally and identify what is causing the issue.

Matteo

Hello Matteo,

I will need to check, but you are probably right on GitLab not being properly configured. I’m sure the warning is not harmful.

However, in my opinion, if the feature is not enabled configured in GitLab I believe I should have the opportunity to disable the feature also on SonarQube side and not being annoyed by such warning. What do you think?

Kind regards

Hello Manuel,

When the feature is not enabled, SonarQube gets no results from GitLab about the Vulnerability Report and completes the analysis without raising any warning.
That is the reason I asked if the feature is available on the repository, because it feels like something was returned by GitLab but was not properly structured, or it was not possible at all to hit the endpoint required for doing this check.

We will do more tests on our side in order to understand in what cases this situation arises even when it is not expected.

I will keep you posted,
Matteo

Hi,

we are using SonarQube with a self hosted instance of GitLab and see the same warning .
As we do not have an ultimate license, the vulnerability scans in GitLab are not even available to configure.
May the endpoint itself is not exposed, when the license feature for vulnerability scans is not available?

Cheers,
Guido

We tested the functionality against projects hosted on GitLab.com where the Ultimate Tier was not available. The result in those cases was a silent response from GitLab and not an error.
It seems that both your cases are related to on-premise instances, while we setup everything for testing this scenario may I ask you to confirm if the GraphQL API Endpoint in your instances is available at this URL:

If your Gitlab Url is: https://mygitlab.domain.com
We expect the Graphql API endpoint to be available at: https://mygitlab.domain.com/api/graphql

This should be easily validated by accessing the Graphql Explorer, and check the URLs called when refreshing the page.

The GraphQL explorer of your on-premise instance is available at: https://mygitlab.domain.com/-/graphql-explorer

Here is the example when accessing the GraphQL Explorer of Gitlab.com

image988×298 31.6 KB

Thanks for testing and getting back to me.

I tested the graphql-explorer and it is available.

However, if try to execute the request via the GraphQL explorer or directly from the browser I get

{"errors":[{"message":"Unexpected end of document","locations":[]}]}

Ok, so the endpoint URL is exactly where expected in your instance.
At this point, I would expect a different behavior of gitlab.com and giilab on-premise when running the GraphQL query related to the vulnerability report and the functionality is not available.

Thanks for the precious info, we will try to reproduce the behavior and once confirmed we will fix it in order to avoid those warnings being reported at analysis time.

We figured out that the GraphQL API does not behave in the same way when used from GitLab on-premise and Gitlab.com.
While GitLab.com returns an empty payload if the feature is not available, the on-premise instances return an error when asked for the vulnerability report if the functionality is not included in the license in use.

We already have a Jira that will mitigate the problem reported, and not raise analysis warnings in case the functionality is not effectively in use.