stackrox · parametalol · Apr 22, 2025 · May 16, 2025 · May 16, 2025 · May 16, 2025
diff --git a/central/config/service/service.go b/central/config/service/service.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stackrox/rox/central/config/datastore"
 	"github.com/stackrox/rox/central/convert/storagetov1"
 	"github.com/stackrox/rox/central/convert/v1tostorage"
+	"github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/central/platform/matcher"
 	"github.com/stackrox/rox/central/platform/reprocessor"
 	"github.com/stackrox/rox/central/telemetry/centralclient"
@@ -66,16 +67,18 @@ type Service interface {
 }
 
 // New returns a new Service instance using the given DataStore.
-func New(datastore datastore.DataStore) Service {
+func New(datastore datastore.DataStore, ar aggregator.Runner) Service {
 	return &serviceImpl{
-		datastore: datastore,
+		datastore:  datastore,
+		aggregator: ar,
 	}
 }
 
 type serviceImpl struct {
 	v1.UnimplementedConfigServiceServer
 
-	datastore datastore.DataStore
+	datastore  datastore.DataStore
+	aggregator aggregator.Runner
 }
 
 // RegisterServiceServer registers this service with the given gRPC Server.
@@ -170,6 +173,10 @@ func (s *serviceImpl) PutConfig(ctx context.Context, req *v1.PutConfigRequest) (
 	}
 	matcher.Singleton().SetRegexes(regexes)
 	go reprocessor.Singleton().RunReprocessor()
+
+	if err := s.aggregator.Reconfigure(req.GetConfig().GetPrivateConfig().GetPrometheusMetricsConfig()); err != nil {
+		return nil, err
+	}
 	return req.GetConfig(), nil
 }
 

diff --git a/central/config/service/singleton.go b/central/config/service/singleton.go
@@ -2,6 +2,7 @@ package service
 
 import (
 	"github.com/stackrox/rox/central/config/datastore"
+	"github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/pkg/sync"
 )
 
@@ -12,7 +13,7 @@ var (
 )
 
 func initialize() {
-	as = New(datastore.Singleton())
+	as = New(datastore.Singleton(), aggregator.Singleton())
 }
 
 // Singleton provides the instance of the Service interface to register.

diff --git a/central/main.go b/central/main.go
@@ -108,6 +108,7 @@ import (
 	"github.com/stackrox/rox/central/jwt"
 	logimbueHandler "github.com/stackrox/rox/central/logimbue/handler"
 	metadataService "github.com/stackrox/rox/central/metadata/service"
+	customMetrics "github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/central/metrics/telemetry"
 	mitreService "github.com/stackrox/rox/central/mitre/service"
 	namespaceService "github.com/stackrox/rox/central/namespace/service"
@@ -381,7 +382,7 @@ func startServices() {
 	administrationUsageInjector.Singleton().Start()
 	gcp.Singleton().Start()
 	administrationEventHandler.Singleton().Start()
-
+	customMetrics.Singleton().Start()
 	if features.PlatformComponents.Enabled() {
 		platformReprocessor.Singleton().Start()
 	}
@@ -866,6 +867,16 @@ func customRoutes() (customRoutes []routes.CustomRoute) {
 			ServerHandler: certHandler.BackupCerts(listener.Singleton()),
 			Compression:   true,
 		},
+		{
+			// User configured Prometheus metrics will be exposed on this path.
+			// The access is behind authorization because the metric label
+			// values may include sensitive data, such as deployment names and
+			// CVEs.
+			Route:         "/metrics",
+			Authorizer:    user.With(permissions.View(resources.Administration)),
+			ServerHandler: customMetrics.Singleton(),
+			Compression:   true,
+		},
 	}
 	scannerDefinitionsRoute := "/api/extensions/scannerdefinitions"
 	// Only grant compression to well-known content types. It should capture files
@@ -962,6 +973,7 @@ func waitForTerminationSignal() {
 		{gcp.Singleton(), "GCP cloud credentials manager"},
 		{cloudSourcesManager.Singleton(), "cloud sources manager"},
 		{administrationEventHandler.Singleton(), "administration events handler"},
+		{customMetrics.Singleton(), "custom Prometheus metrics gatherer"},
 	}
 
 	stoppables = append(stoppables,

diff --git a/central/metrics/aggregator/common/aggregator.go b/central/metrics/aggregator/common/aggregator.go
@@ -0,0 +1,43 @@
+package common
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+// aggregatedRecord is a single gauge metric record.
+type aggregatedRecord struct {
+	labels prometheus.Labels
+	total  int
+}
+
+// aggregator computes the aggregation result.
+type aggregator[Finding Countable] struct {
+	result     map[MetricName]map[aggregationKey]*aggregatedRecord
+	mcfg       MetricsConfiguration
+	labelOrder map[Label]int
+	getters    map[Label]func(Finding) string
+}
+
+func makeAggregator[Finding Countable](mcfg MetricsConfiguration, labelOrder map[Label]int, getters map[Label]func(Finding) string) *aggregator[Finding] {
+	aggregated := make(map[MetricName]map[aggregationKey]*aggregatedRecord)
+	for metric := range mcfg {
+		aggregated[metric] = make(map[aggregationKey]*aggregatedRecord)
+	}
+	return &aggregator[Finding]{aggregated, mcfg, labelOrder, getters}
+}
+
+// count the finding in the aggregation result.
+func (r *aggregator[Finding]) count(finding Finding) {
+	labelValue := func(label Label) string {
+		return r.getters[label](finding)
+	}
+	for metric, labels := range r.mcfg {
+		if key, labels := makeAggregationKey(labels, labelValue, r.labelOrder); key != "" {
+			if rec, ok := r.result[metric][key]; ok {
+				rec.total += finding.Count()
+			} else {
+				r.result[metric][key] = &aggregatedRecord{labels, finding.Count()}
+			}
+		}
+	}
+}
diff --git a/central/metrics/aggregator/common/aggregator_test.go b/central/metrics/aggregator/common/aggregator_test.go
@@ -0,0 +1,107 @@
+package common
+
+import (
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/assert"
+)
+
+type testFinding struct {
+	OneOrMore
+	index int
+}
+
+func Test_aggregator(t *testing.T) {
+	getters := map[Label]func(testFinding) string{
+		"Severity":  func(tf testFinding) string { return testData[tf.index]["Severity"] },
+		"Cluster":   func(tf testFinding) string { return testData[tf.index]["Cluster"] },
+		"Namespace": func(tf testFinding) string { return testData[tf.index]["Namespace"] },
+	}
+	a := makeAggregator(makeTestMetricLabelExpression(t), testLabelOrder, getters)
+	assert.NotNil(t, a)
+	assert.Equal(t, map[MetricName]map[aggregationKey]*aggregatedRecord{
+		"Test_aggregator_metric1": {},
+		"Test_aggregator_metric2": {},
+	}, a.result)
+
+	a.count(testFinding{index: 0})
+
+	assert.Equal(t, map[MetricName]map[aggregationKey]*aggregatedRecord{
+		"Test_aggregator_metric1": {
+			"cluster 1|CRITICAL": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[0]["Cluster"], "Severity": testData[0]["Severity"]},
+				total:  1,
+			}},
+		"Test_aggregator_metric2": {
+			"ns 1": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[0]["Namespace"]},
+				total:  1,
+			}},
+	}, a.result)
+
+	a.count(testFinding{index: 0})
+
+	assert.Equal(t, map[MetricName]map[aggregationKey]*aggregatedRecord{
+		"Test_aggregator_metric1": {
+			"cluster 1|CRITICAL": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[0]["Cluster"], "Severity": testData[0]["Severity"]},
+				total:  2,
+			}},
+		"Test_aggregator_metric2": {
+			"ns 1": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[0]["Namespace"]},
+				total:  2,
+			}},
+	}, a.result)
+
+	a.count(testFinding{index: 1})
+
+	assert.Equal(t, map[MetricName]map[aggregationKey]*aggregatedRecord{
+		"Test_aggregator_metric1": {
+			"cluster 1|CRITICAL": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[0]["Cluster"], "Severity": testData[0]["Severity"]},
+				total:  2,
+			},
+			"cluster 2|HIGH": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[1]["Cluster"], "Severity": testData[1]["Severity"]},
+				total:  1,
+			},
+		},
+		"Test_aggregator_metric2": {
+			"ns 1": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[0]["Namespace"]},
+				total:  2,
+			},
+			"ns 2": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[1]["Namespace"]},
+				total:  1,
+			},
+		},
+	}, a.result)
+
+	a.count(testFinding{OneOrMore: 5, index: 1})
+
+	assert.Equal(t, map[MetricName]map[aggregationKey]*aggregatedRecord{
+		"Test_aggregator_metric1": {
+			"cluster 1|CRITICAL": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[0]["Cluster"], "Severity": testData[0]["Severity"]},
+				total:  2,
+			},
+			"cluster 2|HIGH": &aggregatedRecord{
+				labels: prometheus.Labels{"Cluster": testData[1]["Cluster"], "Severity": testData[1]["Severity"]},
+				total:  6,
+			},
+		},
+		"Test_aggregator_metric2": {
+			"ns 1": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[0]["Namespace"]},
+				total:  2,
+			},
+			"ns 2": &aggregatedRecord{
+				labels: prometheus.Labels{"Namespace": testData[1]["Namespace"]},
+				total:  6,
+			},
+		},
+	}, a.result)
+}
diff --git a/central/metrics/aggregator/common/common.go b/central/metrics/aggregator/common/common.go
@@ -0,0 +1,77 @@
+package common
+
+import (
+	"context"
+	"iter"
+	"regexp"
+	"slices"
+
+	"github.com/pkg/errors"
+	v1 "github.com/stackrox/rox/generated/api/v1"
+	"github.com/stackrox/rox/pkg/logging"
+)
+
+var (
+	log = logging.CreateLogger(logging.ModuleForName("central_metrics"), 1)
+
+	// Source: https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels
+	metricNamePattern = regexp.MustCompile("^[a-zA-Z_:][a-zA-Z0-9_:]*$")
+)
+
+type Label string      // Prometheus label.
+type MetricName string // Prometheus metric name.
+type Countable interface{ Count() int }
+type FindingGenerator[Finding Countable] func(context.Context, *v1.Query, MetricsConfiguration) iter.Seq[Finding]
+type LabelGetter[Finding Countable] struct {
+	Label  Label
+	Getter func(Finding) string
+}
+
+// MetricsConfiguration is the parsed aggregation configuration.
+type MetricsConfiguration map[MetricName]map[Label]Expression
+
+func (mcfg MetricsConfiguration) HasAnyLabelOf(labels []Label) bool {
+	for _, labelExpr := range mcfg {
+		for label := range labelExpr {
+			if slices.Contains(labels, label) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// OneOrMore is a helper implementation of Countable interface, that counts 1
+// by default. Can be used as a base for other implementations.
+type OneOrMore int
+
+func (o OneOrMore) Count() int {
+	if o > 0 {
+		return int(o)
+	}
+	return 1
+}
+
+type aggregationKey string // e.g. IMPORTANT_VULNERABILITY_SEVERITY|true
+
+var ErrStopIterator = errors.New("stopped")
+
+// validateMetricName ensures the name is alnum_.
+func validateMetricName(name string) error {
+	if len(name) == 0 {
+		return errors.New("empty")
+	}
+	if !metricNamePattern.MatchString(name) {
+		return errors.New(`doesn't match "` + metricNamePattern.String() + `"`)
+	}
+	return nil
+}
+
+// Bind4th binds the fourth function argument:
+//
+//	f(a, b, c, d) == Bind4th(f, d)(a, b, c)
+func Bind4th[A1 any, A2 any, A3 any, A4 any, RV any](f func(A1, A2, A3, A4) RV, bound A4) func(A1, A2, A3) RV {
+	return func(a1 A1, a2 A2, a3 A3) RV {
+		return f(a1, a2, a3, bound)
+	}
+}