ti_google_threat_intelligence: fix null array handling in CEL programs

[navnit-elastic]

Proposed commit message

ti_google_threat_intelligence: fix null array handling in CEL programs

Add explicit null checks before size() on body.iocs and body.data across
all threat list data streams so APIs returning null instead of an empty
array no longer cause runtime failures.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Relates ssi_all: cel integrations do not properly guard against null #18788

Screenshots

[github-actions]

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

TL;DR

This failure is an infrastructure/transient dependency fetch issue, not a PR code regression. The Buildkite trigger job failed because gvm download returned an HTML 504 Gateway Time-out, so go was never installed and the step exited with 127.

Remediation

• Re-run the failed Buildkite build/job (likely transient network/proxy outage to GitHub Releases).
• Harden .buildkite/scripts/common.sh around with_go to validate the downloaded gvm artifact before executing it (e.g., fail if content is HTML / missing expected header) so failures are explicit and faster to diagnose.

Investigation details

Root Cause

The trigger step executes .buildkite/scripts/trigger_integrations_in_parallel.sh, which calls with_mage and then with_go (.buildkite/scripts/trigger_integrations_in_parallel.sh, lines 7-10). In with_go, the script downloads gvm and immediately executes it:

• .buildkite/scripts/common.sh:111 downloads gvm from GitHub Releases via curl
• .buildkite/scripts/common.sh:113 executes gvm
• .buildkite/scripts/common.sh:114 expects go version

In this run, the downloaded file was an HTML 504 page, causing shell parse errors and then go: command not found.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/44252
• Job/step: Trigger integrations
• Key log excerpt:

/buildkite/.../bin/gvm: line 1: syntax error near unexpected token `<'
/buildkite/.../bin/gvm: line 1: `<html><body><h1>504 Gateway Time-out</h1>'
.buildkite/scripts/common.sh: line 114: go: command not found

• Failed command: ./.buildkite/scripts/trigger_integrations_in_parallel.sh
• Exit status: 127

Verification

• Local repo script inspection confirms failure path through with_go in .buildkite/scripts/common.sh and trigger script call chain.

Follow-up

If this repeats frequently, consider adding curl --fail --retry-all-errors and content validation (or checksum/signature verification) before chmod +x/execution of downloaded tools.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

• #19436 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ti_google_threat_intelligence: fix null array handling in CEL programs #19436 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

✅ All changelog entries have the correct PR link.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b852938

History

• 💚 Build #44258 succeeded 92ffd19
• 💔 Build #44252 failed d8203e3

cc @navnit-elastic

[elastic-vault-github-plugin-prod]

Package ti_google_threat_intelligence - 0.12.2 containing this change is available at https://epr.elastic.co/package/ti_google_threat_intelligence/0.12.2/