Add metric for CVS on sbom change

EE: true

Add metric for CVS on sbom change
6e6a62d4 · Zamir Martins · GitLab · 9f2022b8 · 6e6a62d4 · 6e6a62d4
--- a/ee/app/services/sbom/create_vulnerabilities_service.rb
+++ b/ee/app/services/sbom/create_vulnerabilities_service.rb
@@ -4,6 +4,7 @@ module Sbom
  class CreateVulnerabilitiesService
    include Gitlab::Utils::StrongMemoize
    include Gitlab::VulnerabilityScanning::AdvisoryUtils
+    include Gitlab::InternalEventsTracking

    def self.execute(pipeline_id)
      new(pipeline_id).execute
@@ -11,13 +12,19 @@ def self.execute(pipeline_id)

    def initialize(pipeline_id)
      @pipeline_id = pipeline_id
+      @possibly_affected_sbom_occurrences_count = 0
+      @known_affected_sbom_occurrences_count = 0
    end

    def execute
+      start_time = Time.current.iso8601
+
      valid_sbom_reports.each do |sbom_report|
        next unless sbom_report.source.present?

        sbom_report.components.each_slice(::Security::IngestionConstants::COMPONENTS_BATCH_SIZE) do |occurrence_batch|
+          @possibly_affected_sbom_occurrences_count += occurrence_batch.count
+
          affected_packages(occurrence_batch).each_batch do |affected_package_batch|
            finding_maps = affected_package_batch.filter_map do |affected_package|
              # We need to match every affected package to one occurrence
@@ -29,6 +36,8 @@ def execute

              next unless affected_occurrence.present?

+              @known_affected_sbom_occurrences_count += 1
+
              advisory_data_object = Gitlab::VulnerabilityScanning::Advisory.from_affected_package(
                affected_package: affected_package, advisory: affected_package.advisory)

@@ -45,9 +54,21 @@ def execute
          end
        end
      end
+
+      track_internal_event(
+        'cvs_on_sbom_change',
+        additional_properties: {
+          label: 'pipeline_info',
+          property: pipeline_id.to_s,
+          start_time: start_time,
+          end_time: Time.current.iso8601,
+          possibly_affected_sbom_occurrences: possibly_affected_sbom_occurrences_count,
+          known_affected_sbom_occurrences: known_affected_sbom_occurrences_count
+        }
+      )
    end

-    attr_reader :pipeline_id
+    attr_reader :pipeline_id, :possibly_affected_sbom_occurrences_count, :known_affected_sbom_occurrences_count

    private


--- a/ee/config/events/cvs_on_sbom_change.yml
+++ b/ee/config/events/cvs_on_sbom_change.yml
+---
+description: CVS is triggered by a change to the Software Bill of Materials (SBOM)
+internal_events: true
+action: cvs_on_sbom_change
+additional_properties:
+  label:
+    description: pipeline_info - source of SBOM components
+  property:
+    description: pipeline id
+product_group: composition_analysis
+milestone: '17.4'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163935
+distributions:
+  - ee
+tiers:
+  - ultimate
--- a/ee/config/metrics/counts_28d/count_total_cvs_on_sbom_change_monthly.yml
+++ b/ee/config/metrics/counts_28d/count_total_cvs_on_sbom_change_monthly.yml
+---
+key_path: counts.count_total_cvs_on_sbom_change_monthly
+description: Monthly count of Affected SBOM occurrences
+product_group: composition_analysis
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.4'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163935
+time_frame: 28d
+data_source: internal_events
+data_category: optional
+distribution:
+  - ee
+tier:
+  - ultimate
+events:
+  - name: cvs_on_sbom_change
--- a/ee/config/metrics/counts_7d/count_total_cvs_on_sbom_change_weekly.yml
+++ b/ee/config/metrics/counts_7d/count_total_cvs_on_sbom_change_weekly.yml
+---
+key_path: counts.count_total_cvs_on_sbom_change_weekly
+description: Weekly count of Affected SBOM occurrences
+product_group: composition_analysis
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.4'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/163935
+time_frame: 7d
+data_source: internal_events
+data_category: optional
+distribution:
+  - ee
+tier:
+  - ultimate
+events:
+  - name: cvs_on_sbom_change
--- a/ee/spec/services/sbom/create_vulnerabilities_service_spec.rb
+++ b/ee/spec/services/sbom/create_vulnerabilities_service_spec.rb
@@ -7,11 +7,13 @@
    let_it_be(:user) { create(:user) }
    let_it_be(:pipeline) { create(:ee_ci_pipeline, :with_cyclonedx_report, user: user) }
    let(:occurrences_count) { 5 }
+    let(:sbom_reports) { pipeline.sbom_reports.reports.select(&:source) }
+    let(:pipeline_components) { sbom_reports.flat_map(&:components) }
    let(:occurrences) do
-      components = pipeline.sbom_reports.reports.last.components
+      components = sbom_reports.last.components
      Array.new(occurrences_count) do |i|
        { purl_type: components[i].purl.type, name: components[i].name, version: components[i].version,
-          input_file_path: pipeline.sbom_reports.reports.last.source.input_file_path }
+          input_file_path: sbom_reports.last.source.input_file_path }
      end
    end

@@ -99,6 +101,20 @@
        ])
      end

+      it 'calls track cvs service with the right parameters', :freeze_time do
+        expect { result }.to trigger_internal_events('cvs_on_sbom_change')
+          .with(additional_properties:
+                {
+                  label: 'pipeline_info',
+                  property: pipeline.id.to_s,
+                  start_time: Time.current.iso8601,
+                  end_time: Time.current.iso8601,
+                  possibly_affected_sbom_occurrences: pipeline_components.count,
+                  known_affected_sbom_occurrences: occurrences.count
+                }
+               )
+      end
+
      context 'with multiple affected packages with different advisories associated with a single occurrence' do
        before do
          create(:pm_affected_package, purl_type: occurrence[:purl_type],