Add events for Gemnasium in GitLab
What does this MR do and why?
The goal of this MR is to add events for Gemnasium scans, as part of Create end-to-end metrics for CA (&18116) (note Iteration 1). See twin MR on the analyzer side.
Mockup graphs we aim to create can be found in these slides (relevant slides are labeled with Gemnasium).
Event definition holds the following assumptions:
- A scan contains a single security report
- A security report contains a single count of vulnerabilities for the entire scan
- A scan contains a single security report
- A security report contains the execution time for the entire scan
- A scan contains multiple SBOM reports
- An SBOM report holds a single purl type and input file
- An SBOM report holds a count of relevant components, and adding all component counts from all SBOM reports yields the total component count in the project/scan
Example
A generated report in Gemnasium may look like:
Gemnasium
{
"scan": {
"observability": {
"events": [
{
"event": "collect_gemnasium_scan_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "6.1.10", // filter: version
"value": 100 // fast: number of vulnerabilities
},
{
"event": "collect_gemnasium_scan_performance_metrics_from_pipeline",
"property": "scan_uuid", // join
"value": 23 // fast: execution time in seconds
},
{
"event": "collect_gemnasium_scan_sbom_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "npm", // fast: purl type
"value": 50, // fast: components count
"input_file_path": "yarn.lock", // Slow: will be stored in jsonb
},
],
}
}Gemnasium-maven
{
"scan": {
"observability": {
"events": [
{
"event": "collect_gemnasium_maven_scan_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "6.1.10", // filter: version
"value": 100 // fast: number of vulnerabilities
},
{
"event": "collect_gemnasium_maven_scan_performance_metrics_from_pipeline",
"property": "scan_uuid", // join
"value": 23 // fast: execution time in seconds
},
{
"event": "collect_gemnasium_maven_scan_sbom_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "maven", // fast: purl type
"value": 50, // fast: components count
"input_file_path": "pom.xml", // Slow: will be stored in jsonb
},
],
}
}Gemnasium-python
{
"scan": {
"observability": {
"events": [
{
"event": "collect_gemnasium_python_scan_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "6.1.10", // filter: version
"value": 100 // fast: number of vulnerabilities
},
{
"event": "collect_gemnasium_python_scan_performance_metrics_from_pipeline",
"property": "scan_uuid", // join
"value": 23 // fast: execution time in seconds
},
{
"event": "collect_gemnasium_python_scan_sbom_metrics_from_pipeline",
"property": "scan_uuid", // join
"label": "pypi", // fast: purl type
"value": 50, // fast: components count
"input_file_path": "requirements.txt", // Slow: will be stored in jsonb
},
],
}
}References
Add metrics for Gemnasium (#570521 - closed)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Nick Ilieskou