Add filtering for cluster agent in GraphQL Vulnerabilities API
What does this MR do and why?
In this MR we're adding ability to filter vulnerabilities by cluster agent which performed a cluster image scanning
scan.
Database query
SELECT * FROM vulnerabilities INNER JOIN vulnerability_occurrences ON vulnerability_occurrences.vulnerability_id = vulnerabilities.id WHERE vulnerabilities.project_id = 27958807 AND vulnerability_occurrences.report_type = 7 AND (vulnerability_occurrences.location -> 'agent_id' ?| array['153813']);
Before: 2.497 s
Nested Loop (cost=1.00..2316.78 rows=1 width=1978) (actual time=2490.865..2490.868 rows=0 loops=1)
Buffers: shared hit=2577 read=991 dirtied=147
I/O Timings: read=2443.311 write=0.000
-> Index Scan using index_vulnerabilities_on_project_id_and_state_and_severity on public.vulnerabilities (cost=0.56..703.56 rows=465 width=354) (actual time=6.515..1623.167 rows=736 loops=1)
Index Cond: (vulnerabilities.project_id = 27958807)
Buffers: shared hit=7 read=617 dirtied=147
I/O Timings: read=1611.528 write=0.000
-> Index Scan using index_vulnerability_occurrences_on_vulnerability_id on public.vulnerability_occurrences (cost=0.44..3.46 rows=1 width=1624) (actual time=1.175..1.175 rows=0 loops=736)
Index Cond: (vulnerability_occurrences.vulnerability_id = vulnerabilities.id)
Filter: ((vulnerability_occurrences.report_type = 7) AND ((vulnerability_occurrences.location -> 'agent_id'::text) ?| '{153813}'::text[]))
Rows Removed by Filter: 1
Buffers: shared hit=2570 read=374
I/O Timings: read=831.783 write=0.000
After index is added: -> !76640 (merged)
After: 7.013 ms
Nested Loop (cost=7.94..67.26 rows=1 width=1978) (actual time=0.155..0.157 rows=0 loops=1)
Buffers: shared hit=2
I/O Timings: read=0.000 write=0.000
-> Bitmap Heap Scan on public.vulnerability_occurrences (cost=7.50..25.76 rows=12 width=1624) (actual time=0.155..0.155 rows=0 loops=1)
Buffers: shared hit=2
I/O Timings: read=0.000 write=0.000
-> Bitmap Index Scan using index_vulnerability_occurrences_on_location_agent_id (cost=0.00..7.50 rows=12 width=0) (actual time=0.100..0.101 rows=0 loops=1)
Index Cond: ((vulnerability_occurrences.location -> 'agent_id'::text) ?| '{153813}'::text[])
Buffers: shared hit=2
I/O Timings: read=0.000 write=0.000
-> Index Scan using vulnerabilities_pkey on public.vulnerabilities (cost=0.44..3.46 rows=1 width=354) (actual time=0.000..0.000 rows=0 loops=0)
Index Cond: (vulnerabilities.id = vulnerability_occurrences.vulnerability_id)
Filter: (vulnerabilities.project_id = 27958807)
Rows Removed by Filter: 0
I/O Timings: read=0.000 write=0.000
How to set up and validate locally
- Create new project.
- Create and configure your cluster and CI configuration to run Cluster Image Scanning (https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/).
- In
gitlab-ci.yml
file add:
include:
- template: Security/Cluster-Image-Scanning.gitlab-ci.yml
cluster_image_scanning:
variables:
CIS_ANALYZER_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/cluster-image-scanning:342662-read-cluster-agent-id
CIS_CLUSTER_AGENT_IDENTIFIER: 46357
- Run pipeline, verify if vulnerabilities were created.
- Go to GraphQL Explorer and try to fetch vulnerabilities by
clusterAgentId
(usinggid://gitlab/Clusters::Agent/46357
) - You should see vulnerabilities in the response.
- Try again with different
clusterAgentId
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #342662 (closed)
Edited by Alan (Maciej) Paruszewski