Resolve: Security Dashboard: GraphQL Support / Expose meanAge and medianAge [BE]

What does this MR do and why?

References

• Main issue: Security Dashboard: GraphQL Support / Expose me... (#578072) • Charlie Kroon • 18.6
• Related MR: Resolve "Security Dashboard: ES migration to ba... (!210086 - merged) • Charlie Kroon • 18.6
• Related MR: Add detected_at field to ES vulnerability index (!209927 - merged) • Charlie Kroon • 18.6

How to set up and validate locally

Step 1: ElasticSearch Setup + Feature Flag

1. Make sure you have ElasticSearch running on your local env. Follow the steps: https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/elasticsearch.md#setup
2. Run the migration in Rails console:

Elastic::DataMigrationService[20251024110346].migrate

3. Index vulnerability data:

Vulnerabilities::Read.all.each { |v| ::Elastic::ProcessBookkeepingService.track!(Search::Elastic::References::Vulnerability.new(v.vulnerability_id, "group_#{v.project.namespace.root_ancestor.id}")) }

4. Then run:

Elastic::ProcessBookkeepingService.new.execute

5. Now enable the feature flag in Rails console:

Feature.enable(:group_security_dashboard_new)

Now, go to: Go to http://gdk.test:3000/-/graphql-explorer and run:

{
  group(fullPath: "gitlab-org") {
    id
    securityMetrics {
      vulnerabilitiesPerSeverity(
        startDate: "2025-01-01T00:00:00Z"
        endDate: "2025-06-01T00:00:00Z"
      ) {
        info {
          count
          meanAge
          medianAge
        }
        unknown {
          count
          meanAge
          medianAge
        }
        high {
          count
          meanAge
          medianAge
        }
        low {
          count
          meanAge
          medianAge
        }
        medium {
          count
          meanAge
          medianAge
        }
        critical {
          count
          meanAge
          medianAge
        }
      }
    }
  }
}

This should return something like:

{
  "data": {
    "group": {
      "id": "gid://gitlab/Group/24",
      "securityMetrics": {
        "vulnerabilitiesPerSeverity": {
          "info": {
            "severity": "INFO",
            "count": 6,
            "meanAge": 202.4290970335998,
            "medianAge": 202.42909703412064
          },
          "unknown": {
            "count": 6,
            "meanAge": 203.22131320320625,
            "medianAge": 203.22131320328728
          },
          "high": {
            "count": 3,
            "meanAge": 203.22131320358818,
            "medianAge": 203.22131320364605
          },
          "low": {
            "count": 6,
            "meanAge": 203.2213132033567,
            "medianAge": 203.22131320341455
          },
          "medium": {
            "count": 48,
            "meanAge": 203.22131320347248,
            "medianAge": 203.22131320353031
          },
          "critical": {
            "count": 9,
            "meanAge": 203.22131320370391,
            "medianAge": 203.22131320504653
          }
        }
      }
    }
  },
  "correlationId": "01K9AQR78ABZ2Z87MT3JCVGEQ3"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.