Extend the security report to include metrics

See parent epic for additional information about this effort.

The security report is being extended to include metric collection for CI-based analyzers. The metric information will then be collected via the internal event tracking capabilities of GitLab during report processing. The internal event tracking has recently been extended to allow collecting more than 3 properties per-event. This allows collecting metric data that can also be aggregated from self-hosted instances via the service pings. For gitlab.com the full event data is available in our data warehouse.

Proposed schema changes

  1. Add optional observability property to scan with definition under definitions.
    1. Documentation string should indicate this is an internal use only property and not for 3rd party integrations
  2. Add optional events array property to scan.observability.
    1. Type: array
    2. Description: Array of event based metrics collected via the internal event tracking system during report processing.
    3. Items are event
  3. Add event definition
    1. Type: object
    2. Properties:
      1. event: string, required -- Name of event to track
      2. property: string, optional
      3. label: string, optional
      4. value: number, optional
      5. Allow custom properties for additional data

Implementation plan

  1. Define the schema changes needed to collect metrics.(https://docs.gitlab.com/ee/development/internal_analytics/internal_event_instrumentation/)
  2. Make changes in an MR and open up for comments from team.
  3. Mark changes as GitLab internal only, not for 3rd party integrations
{
  "scan": {
    "observability": {
    "events": [
      {
        # Name of the event
        "event": "api_security",
        # Following 3 properties are columns in the data warehouse
        # they should be used for primary join/filtering
        "property": "scan_uuid", # Allows joining across events
        "label": "openapi|graphql_schema|postman|graphql|har",
        "value": 60, # length of scan in minutes
        # Custom properties stored in a JSON column in the data warehouse
        "operations": 5
        "version": "5.5.5",
        "version_major": 5,
        "operations": 10, # How many API operations we are scanning
        "per-request-script": true,
        "overrides-command": true,
        "status": "completed|failed",
        "content-type": "mixed|graphql|json|xml|soap",
      },
      {
        # This event can be joined via the scan_uuid
        "event": "api_security_cwe_92",
        "property": "scan_uuid",
        "label": "graphql",
        "value": 5, # count of vulnerabilities
        "parameters": 20, # number of parameters check ran on
      },
    ],
  }}
}
Edited by Michael Eddington