Hello GitLab community,
I’m encountering an issue with GitLab Advanced Security’s Static Application Security Testing (SAST) feature where only the first code flow array is being displayed in the report, even though there are two distinct code flows in the file. I’m working with the OWASP WebGoat project, specifically the SqlInjectionLesson8.java file, and I’ve noticed that only one of the two code flows is shown.
Here are the two code flow arrays from the SAST report:
First Code Flow:
json
{ "$schema": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/sast-report-format.json",
"version": "15.2.1",
[
{
"type": "code-flow-node",
"node_type": "source",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 41,
"line_end": 41
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 43,
"line_end": 43
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 44,
"line_end": 44
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 49,
"line_end": 49
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 62,
"line_end": 62
}
},
{
"type": "code-flow-node",
"node_type": "sink",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 62,
"line_end": 62
}
}
]
}
Second Code Flow:
json
[
{
"type": "code-flow-node",
"node_type": "source",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 3,
"line_end": 3
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 4,
"line_end": 4
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 6,
"line_end": 6
}
},
{
"type": "code-flow-node",
"node_type": "sink",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 8,
"line_end": 8
}
}
]
In my setup, only the first code flow (from line 41 to 62) is being displayed or “printed,” while the second code flow (from line 3 to 8) is not visible. I’m unsure if this is a limitation of the GitLab UI, a configuration issue, or related to how I’m processing the SAST report.
Steps I’ve Taken to Troubleshoot
- Checked the Raw SAST Report:
- I downloaded the raw JSON report from the pipeline’s Security tab and verified that both code flows are present in the report. However, when viewing the report in the GitLab UI, only the first code flow is displayed.
- Verified GitLab Version:
- I’m using GitLab Enterprise Edition 18.2.0-pre. I understand that GitLab 17.4 introduced enhanced code-flow views, so I’m considering if this is a version-specific issue.
- Reviewed CI/CD Configuration:
Despite these checks, I’m still only seeing one code flow in the UI. I’m wondering if there’s a way to configure GitLab to display all code flows for each vulnerability or if this is a known limitation.
Questions for the Community
-
Has anyone else encountered this issue where only the first code flow is displayed in the SAST report?
-
Is there a specific configuration or setting in GitLab that controls how code flows are displayed?
-
If I’m using a custom script or integration to process the SAST report, could that be limiting the display to one code flow?
Any insights, suggestions, or experiences from others who have faced similar issues would be greatly appreciated.
Attached screenshot.
{
"$schema": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/sast-report-format.json",
"version": "15.2.1",
"vulnerabilities": [
{
"id": "6d5fb27722682bb20c1de496d623b086",
"category": "sast",
"name": "SQL Injection",
"message": "",
"description": "Untrusted user-supplied data is inserted into a SQL statement without adequate validation, escaping, or filtering.",
"cve": "CWE-89",
"severity": "High",
"confidence": "",
"scanner": {
"id": "",
"name": "",
"vendor": {
"name": ""
}
},
"location": {
"file": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"start_line": 44,
"end_line": 45,
"dependency": {
"package": {
"name": "",
"version": ""
},
"version": ""
}
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-89",
"value": "CWE-89",
"url": "https://poc.*.*.com/portfolio/portfolios/00296cd0-45bc-40be-8d02-fc1a3203abde/portfolio-items/c0689446-0c84-434a-83d2-69f2e55123d8/projects/077454fd-ca97-4539-acee-17e966ef54a1/issues/E453A8B3263435D18286BC17ECEFB162?branchId=7afa2da3-1883-4474-a9e6-1d2088bc55e0&filter=issueType%3Alocalized-name%3DSQL%20Injection%26context%3AtoolType%3Dsast%26issueProperties%3Alocation%3Dsrc%2Fmain%2Fjava%2Forg%2Fowasp%2Fwebgoat%2Flessons%2Fsqlinjection%2Fintroduction%2FSqlInjectionLesson8.java"
},
{
"type": "_id",
"name": "security",
"value": "security"
},
{
"type": "_id",
"name": "static_analysis",
"value": "static_analysis"
}
],
"details": {
"code_flows": {
"name": "Code Flow for SQL Injection",
"type": "code-flows",
"items": [
[
{
"type": "code-flow-node",
"node_type": "source",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 3,
"line_end": 4
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 4,
"line_end": 5
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 6,
"line_end": 7
}
},
{
"type": "code-flow-node",
"node_type": "sink",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 8,
"line_end": 9
}
}
],
[
{
"type": "code-flow-node",
"node_type": "source",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 41,
"line_end": 41
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 43,
"line_end": 43
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 44,
"line_end": 44
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 49,
"line_end": 49
}
},
{
"type": "code-flow-node",
"node_type": "propagation",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 62,
"line_end": 62
}
},
{
"type": "code-flow-node",
"node_type": "sink",
"file_location": {
"type": "file-location",
"file_name": "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
"line_start": 62,
"line_end": 62
}
}
]
]
}
}
}
],
"scan": {
"analyzer": {
"id": "Polaris",
"name": "Polaris",
"vendor": {
"name": "Black Duck"
},
"version": "N/A"
},
"scanner": {
"id": "Polaris",
"name": "Polaris",
"vendor": {
"name": "Black Duck"
},
"version": "N/A"
},
"type": "sast",
"start_time": "2025-06-24T19:12:06",
"end_time": "2025-06-24T19:12:07",
"status": "success"
},
"dependency_files": null
}
Thank you!