Skip to content

New DS analyzer: SR: Java: Track import mapping coverage

Overview

  • Since we're only storing mappings for ~10K popular + vulnerable Maven packages (and not all 640K+ in PMDB), we need to track how well our subset covers real-world usage.
  • We're assuming the Pareto principle applies - that 5-10K packages will cover 95%-99% of real usage. This issue adds tracking to validate that assumption with actual data.

Proposal

Add Java-specific coverage metric event. This event contains the SR java coverage for all Java SBOMs in a particular scan

{
  "event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
  "property": "scan_uuid",
  "value": 95,
}
  1. Define new internal event in monolith
  2. Define event in the event registry
  3. Whitelist event name for use in security report
  4. Populate event in Gemansium and DS security reports
  5. Validate event data is populating in snowflake
Edited by Nick Ilieskou