[go: up one dir, main page]

Add vulnerabilities risk score finder

Rushik Subbarequested to merge
srushik/group_risk_score_query_builder into master

What does this MR do and why?

  1. Adds risk score aggregation query to Search::Elastic::VulnerabilityAggregations
  2. Uses the above query in Search::Elastic::VulnerabilityQueryBuilder
  3. Creates Security::VulnerabilityElasticRiskScoresFinder which uses the above query to fetch project/group risk scores.

Logic -

Project/Group Risk Score = min(1.0, (ΣVulnerability_risk_score + (ΣVulnerability_age_in_month) x 0.005) × 1/√(number_of_vulnerabilities))

Keeping that in mind if we look at the score formula closely vulnerability_age_in_months is nothing but -

Σ(current_time - created_at) which can be simplified further to

Num_vulnerabilities*current_epoch_time - Σcreated_at_in_epoch_time

We can then use this simplification to calculate total risk scores without using scripts. More info on the issue - #571079 (comment 2816510162)

ES query

Click to expand 
GET gitlab-development-vulnerabilities/_search
{
  "size": 0,
  "track_total_hits": true,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "should": [
              {
                "prefix": {
                  "traversal_ids": {
                    "_name": "namespace:ancestry_filter:descendants",
                    "value": "24-"
                  }
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "terms": {
            "state": [
              1,
              4
            ]
          }
        }
      ]
    }
  },
  "aggs": {
    "risk_scores_sum": {
      "sum": {
        "field": "risk_score"
      }
    },
    "created_at_sum": {
      "sum": {
        "field": "created_at"
      }
    }
  }
}
{"took"=>33,
 "timed_out"=>false,
 "_shards"=>{"total"=>1, "successful"=>1, "skipped"=>0, "failed"=>0},
 "hits"=>{"total"=>{"value"=>209216, "relation"=>"eq"}, "max_score"=>nil, "hits"=>[]},
 "aggregations"=>{"risk_scores_sum"=>{"value"=>0.0}, "created_at_sum"=>{"value"=>3.428900475197933e+17, "value_as_string"=>"+10867723-01-20T06:09:53.280Z"}}}

The above response is from a large known group on staging. Steps followed from here

References

Relates to - #571079 (closed)

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Rushik Subba

Merge request reports