Add SR java coverage event
What does this MR do and why?
This MR updates the DS analyzer so that it emits an event about Static Reachability Java coverage. This event is emitted only for Java SBOMs when static reachability is enabled. Every event it contains the scan UUID (the UUID from the Security Report), the input file path and the coverage.
The coverage is defined as the number of components for which we had metadata for and as a result we could identify if the component was reachable or not in comparison to components that we don't have metadata. The coverage metrics will give us a good hint of how good our metadata are. Currently Java metadata contain the 12K most popular packages + all packages with at least a vulnerability (around 2K). If our coverage numbers is low then we might need to increase the metadata numbers.
Related issues
New DS analyzer: SR: Java: Track import mapping... (gitlab-org/gitlab#561261)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Testing
In order to test this feature we used the E2E test project gson-fork and used the image generated by this MR.
The dependency scanning job generated the following events
o11y events
"observability": {
"events": [
{
"event": "collect_ds_analyzer_scan_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "1.0.5",
"value": 2
},
{
"event": "collect_ds_analyzer_scan_duration_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"value": 18
},
{
"event": "collect_ds_analyzer_scan_static_reachability_duration_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"value": 10
},
{
"event": "collect_ds_analyzer_scan_sbom_duration_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"value": 0
},
{
"event": "collect_ds_analyzer_scan_security_report_duration_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"value": 7
},
{
"event": "collect_ds_analyzer_scan_sbom_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 15,
"input_file_path": "extras/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_sbom_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 12,
"input_file_path": "gson/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_sbom_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 0,
"input_file_path": "maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_sbom_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 36,
"input_file_path": "metrics/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_sbom_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 13,
"input_file_path": "proto/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_static_reachability_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 36,
"in_use": 0,
"input_file_path": "metrics/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_static_reachability_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 13,
"in_use": 0,
"input_file_path": "proto/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_static_reachability_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 15,
"in_use": 14,
"input_file_path": "extras/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_static_reachability_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 12,
"in_use": 10,
"input_file_path": "gson/maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_static_reachability_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven",
"value": 0,
"in_use": 0,
"input_file_path": "maven.graph.json"
},
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "maven.graph.json",
"value": 0
},
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "metrics/maven.graph.json",
"value": 75
},
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "proto/maven.graph.json",
"value": 100
},
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "extras/maven.graph.json",
"value": 86
},
{
"event": "collect_ds_analyzer_scan_java_sr_coverage_metrics_from_pipeline",
"property": "b2fabc69-698c-4814-8dad-d4fca35a30e7",
"label": "gson/maven.graph.json",
"value": 91
}
]
}