Add metrics for Gemnasium
Introduction
Introduce metrics in Gemnasium to track:
- versions used by customers
- total number of Gemnasium instances
- number of vulnerabilities per scan
- number of SBOM generated
- PURL type of each SBOM
- size of SBOMs with respect to component count
- input file path of each SBOM
- execution time of Gemnasium scans
We need to differentiate between the 3 Gemnasium flavours:
- gemnasium
- gemnasium-maven
- gemnasium-python
Proposal
// Columns (join, filter, fast)
// JSON column fields (slow)
{
"scan": {
"observability": {
"events": [
////////////////////////////////////////////////////////////////////
// Scanner Basic Metrics
////////////////////////////////////////////////////////////////////
{
"event": "collect_gemnasium_scan_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "6.1.10", // filter: version
"value": 100 // fast: number of vulnerabilities
},
////////////////////////////////////////////////////////////////////
// Performance Metrics
////////////////////////////////////////////////////////////////////
{
"event": "collect_gemnasium_scan_performance_metrics_from_pipeline",
"property": "scan_uuid", // join
"value": 23 // fast: execution time in seconds
},
////////////////////////////////////////////////////////////////////
// SBOM related Metrics: one event per SBOM
////////////////////////////////////////////////////////////////////
{
"event": "collect_gemnasium_scan_sbom_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "pypi", // fast: purl type
"value": 50, // fast: components count
"input_file_path": "requirements.txt", // Slow: will be stored in jsonb
},
],
}
}Implementation Plan
-
Define new internal event in monolith -
Whitelist event name for use in security report -
Populate event in Gemnasium security report -
Validate event data is populating in snowflake
/cc @zmartins
Edited by Nick Ilieskou