stackrox · parametalol · Jun 12, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 16, 2025
diff --git a/central/config/service/service.go b/central/config/service/service.go
@@ -67,16 +67,18 @@
 }
 
 // New returns a new Service instance using the given DataStore.
-func New(datastore datastore.DataStore) Service {
+func New(datastore datastore.DataStore, ar customMetrics.Runner) Service {
 	return &serviceImpl{
-		datastore: datastore,
+		datastore:  datastore,
+		aggregator: ar,
 	}
 }
 
 type serviceImpl struct {
 	v1.UnimplementedConfigServiceServer
 
-	datastore datastore.DataStore
+	datastore  datastore.DataStore
+	aggregator customMetrics.Runner
 }
 
 // RegisterServiceServer registers this service with the given gRPC Server.
@@ -165,8 +167,9 @@
 		}
 	}
 
-	if err := customMetrics.ParseConfiguration(
-		req.GetConfig().GetPrivateConfig().GetPrometheusMetricsConfig()); err != nil {
+	customMetricsCfg, err := s.aggregator.ParseConfiguration(
+		req.GetConfig().GetPrivateConfig().GetPrometheusMetricsConfig())
+	if err != nil {
 		return nil, err
 	}
 
@@ -185,7 +188,7 @@
 	}
 	matcher.Singleton().SetRegexes(regexes)
 	go reprocessor.Singleton().RunReprocessor()
-
+	s.aggregator.Reconfigure(customMetricsCfg)
 	return req.GetConfig(), nil
 }
 

diff --git a/central/config/service/service_test.go b/central/config/service/service_test.go
@@ -72,7 +72,7 @@ func (s *configServiceTestSuite) SetupSuite() {
 	s.ctx = sac.WithAllAccess(context.Background())
 	s.db = pgtest.ForT(s.T())
 	s.dataStore = datastore.NewForTest(s.T(), s.db.DB)
-	s.srv = New(s.dataStore)
+	s.srv = New(s.dataStore, nil)
 
 	// Not found because Singleton() was not called and default configuration was not initialize.
 	cfg, err := s.srv.GetVulnerabilityExceptionConfig(s.ctx, &v1.Empty{})

diff --git a/central/config/service/singleton.go b/central/config/service/singleton.go
@@ -2,6 +2,7 @@
 
 import (
 	"github.com/stackrox/rox/central/config/datastore"
+	"github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/pkg/sync"
 )
 
@@ -12,7 +13,7 @@
 )
 
 func initialize() {
-	as = New(datastore.Singleton())
+	as = New(datastore.Singleton(), aggregator.Singleton())
 }
 
 // Singleton provides the instance of the Service interface to register.

diff --git a/central/main.go b/central/main.go
@@ -108,6 +108,7 @@ import (
 	"github.com/stackrox/rox/central/jwt"
 	logimbueHandler "github.com/stackrox/rox/central/logimbue/handler"
 	metadataService "github.com/stackrox/rox/central/metadata/service"
+	customMetrics "github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/central/metrics/telemetry"
 	mitreService "github.com/stackrox/rox/central/mitre/service"
 	namespaceService "github.com/stackrox/rox/central/namespace/service"
@@ -381,7 +382,7 @@ func startServices() {
 	administrationUsageInjector.Singleton().Start()
 	gcp.Singleton().Start()
 	administrationEventHandler.Singleton().Start()
-
+	customMetrics.Singleton().Start()
 	if features.PlatformComponents.Enabled() {
 		platformReprocessor.Singleton().Start()
 	}
@@ -866,6 +867,23 @@ func customRoutes() (customRoutes []routes.CustomRoute) {
 			ServerHandler: certHandler.BackupCerts(listener.Singleton()),
 			Compression:   true,
 		},
+		{
+			// User configured Prometheus metrics will be exposed on this path.
+			// The access is behind authorization because the metric label
+			// values may include sensitive data, such as deployment names and
+			// CVEs.
+			Route:         "GET /metrics",
+			Authorizer:    user.With(permissions.View(resources.Administration)),
+			ServerHandler: customMetrics.Singleton(),
+			Compression:   true,
+		},
+		{
+			// Same as above, for custom paths.
+			Route:         "GET /metrics/{custom}",
+			Authorizer:    user.With(permissions.View(resources.Administration)),
+			ServerHandler: customMetrics.Singleton(),
+			Compression:   true,
+		},
 	}
 	scannerDefinitionsRoute := "/api/extensions/scannerdefinitions"
 	// Only grant compression to well-known content types. It should capture files
@@ -962,6 +980,7 @@ func waitForTerminationSignal() {
 		{gcp.Singleton(), "GCP cloud credentials manager"},
 		{cloudSourcesManager.Singleton(), "cloud sources manager"},
 		{administrationEventHandler.Singleton(), "administration events handler"},
+		{customMetrics.Singleton(), "custom Prometheus metrics gatherer"},
 	}
 
 	stoppables = append(stoppables,

diff --git a/central/metrics/aggregator/common/config_parser.go b/central/metrics/aggregator/common/config_parser.go
@@ -28,6 +28,25 @@
 	exposure metrics.Exposure
 }
 
+func (me *metricExposure) String() string {
+	switch me.exposure {
+	case metrics.INTERNAL:
+		return "internal path /metrics"
+	case metrics.EXTERNAL:
+		if me.registry == "" {
+			return "external path /metrics"
+		}
+		return "external path /metrics/" + me.registry
+	case metrics.BOTH:
+		if me.registry == "" {
+			return "internal and external path /metrics"
+		}
+		return "internal path /metrics and external path /metrics/" + me.registry
+	default:
+		return "not exposed"
+	}
+}
+
 type Configuration struct {
 	metrics        MetricsConfiguration
 	metricRegistry map[MetricName]metricExposure
@@ -95,7 +114,7 @@
 	return result, nil
 }
 
-func ParseConfiguration(cfg *storage.PrometheusMetricsConfig_Metrics, currentMetrics MetricsConfiguration, labelOrder map[Label]int) (*Configuration, error) {
+func parseConfiguration(cfg *storage.PrometheusMetricsConfig_Metrics, currentMetrics MetricsConfiguration, labelOrder map[Label]int) (*Configuration, error) {
 	metricRegistry := make(map[MetricName]metricExposure, len(cfg.GetMetrics()))
 
 	for metric, labels := range cfg.GetMetrics() {

diff --git a/central/metrics/aggregator/common/config_parser_test.go b/central/metrics/aggregator/common/config_parser_test.go
@@ -90,7 +90,7 @@ func Test_parseErrors(t *testing.T) {
 
 func TestParseConfiguration(t *testing.T) {
 	t.Run("bad metric name", func(t *testing.T) {
-		cfg, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics: map[string]*storage.PrometheusMetricsConfig_Labels{
 				" ": nil,
@@ -103,7 +103,7 @@ func TestParseConfiguration(t *testing.T) {
 	})
 
 	t.Run("bad registry name", func(t *testing.T) {
-		cfg, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics: map[string]*storage.PrometheusMetricsConfig_Labels{
 				"m1": {
@@ -119,7 +119,7 @@ func TestParseConfiguration(t *testing.T) {
 
 	t.Run("test parse sequence", func(t *testing.T) {
 		// Good:
-		cfg0, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg0, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics:                makeTestMetricLabels(t),
 			Filter:                 "Cluster:name",
@@ -132,7 +132,7 @@ func TestParseConfiguration(t *testing.T) {
 		}
 
 		// Bad:
-		cfg1, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg1, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics: map[string]*storage.PrometheusMetricsConfig_Labels{
 				"m1": {
@@ -147,7 +147,7 @@ func TestParseConfiguration(t *testing.T) {
 		assert.Nil(t, cfg1)
 
 		// Another good:
-		cfg2, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg2, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics: map[string]*storage.PrometheusMetricsConfig_Labels{
 				"m2": {
@@ -168,7 +168,7 @@ func TestParseConfiguration(t *testing.T) {
 	})
 
 	t.Run("test bad query", func(t *testing.T) {
-		cfg, err := ParseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
+		cfg, err := parseConfiguration(&storage.PrometheusMetricsConfig_Metrics{
 			GatheringPeriodMinutes: 121,
 			Metrics:                makeTestMetricLabels(t),
 			Filter:                 "bad query?",
@@ -185,7 +185,7 @@ func TestParseConfiguration(t *testing.T) {
 			GatheringPeriodMinutes: 121,
 			Metrics:                makeTestMetricLabels(t),
 		}
-		cfg0, err := ParseConfiguration(storageConfig, nil, testLabelOrder)
+		cfg0, err := parseConfiguration(storageConfig, nil, testLabelOrder)
 		assert.NoError(t, err)
 
 		for _, labels := range storageConfig.Metrics {
@@ -207,7 +207,7 @@ func TestParseConfiguration(t *testing.T) {
 			}
 		}
 
-		cfg1, err := ParseConfiguration(storageConfig, cfg0.metrics, testLabelOrder)
+		cfg1, err := parseConfiguration(storageConfig, cfg0.metrics, testLabelOrder)
 
 		assert.ErrorIs(t, err, errInvalidConfiguration, err)
 		assert.Nil(t, cfg1)
@@ -218,14 +218,14 @@ func TestParseConfiguration(t *testing.T) {
 			GatheringPeriodMinutes: 121,
 			Metrics:                makeTestMetricLabels(t),
 		}
-		cfg0, err := ParseConfiguration(storageConfig, nil, testLabelOrder)
+		cfg0, err := parseConfiguration(storageConfig, nil, testLabelOrder)
 		assert.NoError(t, err)
 		for _, config := range storageConfig.Metrics {
 			if config.Exposure == storage.PrometheusMetricsConfig_Labels_BOTH {
 				config.Labels["CVE"] = &storage.PrometheusMetricsConfig_Labels_Expression{}
 			}
 		}
-		cfg1, err := ParseConfiguration(storageConfig, cfg0.metrics, testLabelOrder)
+		cfg1, err := parseConfiguration(storageConfig, cfg0.metrics, testLabelOrder)
 
 		assert.ErrorIs(t, err, errInvalidConfiguration, err)
 		assert.True(t, strings.Contains(err.Error(), "cannot alter metrics"))

diff --git a/central/metrics/aggregator/common/tracker_base.go b/central/metrics/aggregator/common/tracker_base.go
@@ -7,17 +7,23 @@
 	"sync/atomic"
 	"time"
 
+	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stackrox/rox/central/metrics"
 	v1 "github.com/stackrox/rox/generated/api/v1"
+	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/sync"
 )
 
-var log = logging.CreateLogger(logging.ModuleForName("central_metrics"), 1)
+var (
+	log             = logging.CreateLogger(logging.ModuleForName("central_metrics"), 1)
+	ErrStopIterator = errors.New("stopped")
+)
 
 type Tracker interface {
 	Run(context.Context)
+	ParseConfiguration(*storage.PrometheusMetricsConfig_Metrics) (*Configuration, error)
 	Reconfigure(context.Context, *Configuration)
 }
 
@@ -88,6 +94,14 @@
 	return tracker
 }
 
+func (tracker *TrackerBase[Finding]) ParseConfiguration(cfg *storage.PrometheusMetricsConfig_Metrics) (*Configuration, error) {
+	current := tracker.GetConfiguration()
+	if current == nil {
+		current = &Configuration{}
+	}
+	return parseConfiguration(cfg, current.metrics, tracker.labelOrder)
+}
+
 // Reconfigure assumes the configuration has been validated, so doesn't return
 // an error.
 func (tracker *TrackerBase[Finding]) Reconfigure(ctx context.Context, cfg *Configuration) {
@@ -135,11 +149,15 @@
 		cfg.period,
 		getMetricLabels(cfg.metrics[metric], tracker.labelOrder),
 		regCfg.registry,
-		metrics.Exposure(regCfg.exposure)); err != nil {
-		log.Errorf("Failed to register %s metric %q: %v", tracker.category, metric, err)
+		regCfg.exposure); err != nil {
+		log.Errorf("Failed to register %s metric %q (%s): %v",
+			tracker.category, metric, &regCfg, err)
+	} else if regCfg.exposure >= metrics.INTERNAL && regCfg.exposure <= metrics.BOTH {
+		log.Debugf("Registered %s Prometheus metric %q (%s)",
+			tracker.category, metric, &regCfg)
 	} else {
-		log.Debugf("Registered %s Prometheus metric %q on path /metrics/%s", tracker.category, metric,
-			regCfg.registry)
+		log.Debugf("Ignored %s Prometheus metric %q (%s)",
+			tracker.category, metric, &regCfg)
 	}
 }
 
@@ -181,11 +199,13 @@
 	if len(cfg.metrics) == 0 {
 		return
 	}
+	log.Debugf("starting %s metrics gathering...", tracker.category)
 	aggregator := makeAggregator(cfg.metrics, tracker.labelOrder, tracker.getters)
 	for finding := range tracker.generator(ctx, cfg.filter, cfg.metrics) {
 		aggregator.count(finding)
 	}
 	for metric, records := range aggregator.result {
+		log.Debugf("updating %s metric %s", tracker.category, metric)
 		for _, rec := range records {
 			tracker.gauge(string(metric), rec.labels, rec.total)
 		}

diff --git a/central/metrics/aggregator/image_vulnerabilities/labels.go b/central/metrics/aggregator/image_vulnerabilities/labels.go
@@ -1,24 +1,29 @@
 package image_vulnerabilities
 
 import (
+	"strconv"
+
 	"github.com/stackrox/rox/central/metrics/aggregator/common"
-	"github.com/stackrox/rox/generated/storage"
 )
 
-var (
-	getters = []common.LabelGetter[*finding]{
-		{Label: "Cluster", Getter: func(f *finding) string { return f.deployment.GetClusterName() }},
-	}
-
-	labels = common.MakeLabelOrderMap(getters)
-)
+var getters = []common.LabelGetter[*finding]{
+	{Label: "Cluster", Getter: func(f *finding) string { return f.deployment.GetClusterName() }},
+	{Label: "Namespace", Getter: func(f *finding) string { return f.deployment.GetNamespace() }},
+	{Label: "Deployment", Getter: func(f *finding) string { return f.deployment.GetName() }},
+	{Label: "IsPlatformWorkload", Getter: isPlatformWorkload},
 
-type finding struct {
-	common.OneOrMore
-	deployment *storage.Deployment
-}
+	{Label: "ImageID", Getter: func(f *finding) string { return f.image.GetId() }},
+	{Label: "ImageRegistry", Getter: func(f *finding) string { return f.name.GetRegistry() }},
+	{Label: "ImageRemote", Getter: func(f *finding) string { return f.name.GetRemote() }},
+	{Label: "ImageTag", Getter: func(f *finding) string { return f.name.GetTag() }},
+	{Label: "Component", Getter: func(f *finding) string { return f.component.GetName() }},
+	{Label: "ComponentVersion", Getter: func(f *finding) string { return f.component.GetVersion() }},
+	{Label: "OperatingSystem", Getter: func(f *finding) string { return f.image.GetScan().GetOperatingSystem() }},
 
-func ParseConfiguration(config *storage.PrometheusMetricsConfig_Metrics) error {
-	_, err := common.ParseConfiguration(config, nil, labels)
-	return err
+	{Label: "CVE", Getter: func(f *finding) string { return f.vuln.GetCve() }},
+	{Label: "CVSS", Getter: func(f *finding) string { return strconv.FormatFloat(float64(f.vuln.GetCvss()), 'f', 1, 32) }},
+	{Label: "Severity", Getter: func(f *finding) string { return f.vuln.GetSeverity().String() }},
+	{Label: "SeverityV2", Getter: func(f *finding) string { return f.vuln.GetCvssV2().GetSeverity().String() }},
+	{Label: "SeverityV3", Getter: func(f *finding) string { return f.vuln.GetCvssV3().GetSeverity().String() }},
+	{Label: "IsFixable", Getter: func(f *finding) string { return strconv.FormatBool(f.vuln.GetFixedBy() != "") }},
 }