New DS analyzer: SR: Java: Track import mapping coverage
Overview
- Since we're only storing mappings for ~10K popular + vulnerable Maven packages (and not all 640K+ in PMDB), we need to track how well our subset covers real-world usage.
- We're assuming the Pareto principle applies - that 5-10K packages will cover 95%-99% of real usage. This issue adds tracking to validate that assumption with actual data.
Proposal
Add Java-specific coverage metric event. This event contains the SR java coverage for all Java SBOMs in a particular scan
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "scan_uuid",
"value": 95,
}
-
Define new internal event in monolith -
Define event in the event registry -
Whitelist event name for use in security report -
Populate event in Gemansium and DS security reports -
Validate event data is populating in snowflake
Edited by Nick Ilieskou