Impact

An unknown number of users experienced problems accessing the Locations view. The issue started on UTC-5 24-07-24 14:05 and was proactively discovered 2.1 hours (TTD) later by a staff member who reported through our help desk [1] that after closing a vulnerability during a reattack request and returning the Locations view, an error message appeared `There is an error :(`. The problem was resolved in 1.2 hours (TTF) resulting in a total impact of 3.3 hours (TTR) [2].

Cause

The vulnerabilities have an attribute called reasons, which stores the reason for their current status, such as being rejected or marked as safe. A recent change introduced two new possible reasons: CLOSED_BY_MACHINE and VERIFIED_AS_SAFE. However, this change was only added to the data model and not to the API schema. As a result, when loading the location view with at least one vulnerability in these new states, the API did not recognize these values, leading to errors [3].

Solution

To resolve the problem, the values VERIFIED_AS_SAFE and CLOSED_BY_MACHINE were added to the Enum in the API schema, allowing the API to recognize these new states [4].

Conclusion

Insufficient testing failed to catch this error in the continuous integration (CI) process. It is crucial to ensure that our test data covers every possible value in the Enum, allowing us to validate the functionality in our tests. If any Enum value is missing from the API, the test will fail due to the error response returned. Additionally, we should add an assertion in the test to check that there is at least one response for each Enum value. This will help catch future issues if new values are added to the Enum, but the corresponding test data is overlooked. INCOMPLETE_PERSPECTIVE < MISSING_TEST