stackrox · parametalol · Jun 17, 2025
diff --git a/central/config/service/service.go b/central/config/service/service.go
@@ -67,16 +67,18 @@
 }
 
 // New returns a new Service instance using the given DataStore.
-func New(datastore datastore.DataStore) Service {
+func New(datastore datastore.DataStore, ar customMetrics.Runner) Service {
 	return &serviceImpl{
-		datastore: datastore,
+		datastore:  datastore,
+		aggregator: ar,
 	}
 }
 
 type serviceImpl struct {
 	v1.UnimplementedConfigServiceServer
 
-	datastore datastore.DataStore
+	datastore  datastore.DataStore
+	aggregator customMetrics.Runner
 }
 
 // RegisterServiceServer registers this service with the given gRPC Server.
@@ -165,10 +167,11 @@
 		}
 	}
 
-	if err := customMetrics.ValidateConfiguration(
-		req.GetConfig().GetPrivateConfig().GetMetrics()); err != nil {
+	customMetricsCfg, err := s.aggregator.ValidateConfiguration(
+		req.GetConfig().GetPrivateConfig().GetMetrics())
+	if err != nil {
 		return nil, err
 	}
 
 	// Store:

@@ -185,7 +188,8 @@
 	}
 	matcher.Singleton().SetRegexes(regexes)
 	go reprocessor.Singleton().RunReprocessor()
+	s.aggregator.Reconfigure(customMetricsCfg)
 
 	return req.GetConfig(), nil
 }


diff --git a/central/config/service/service_test.go b/central/config/service/service_test.go
@@ -72,7 +72,7 @@ func (s *configServiceTestSuite) SetupSuite() {
 	s.ctx = sac.WithAllAccess(context.Background())
 	s.db = pgtest.ForT(s.T())
 	s.dataStore = datastore.NewForTest(s.T(), s.db.DB)
-	s.srv = New(s.dataStore)
+	s.srv = New(s.dataStore, nil)
 
 	// Not found because Singleton() was not called and default configuration was not initialize.
 	cfg, err := s.srv.GetVulnerabilityExceptionConfig(s.ctx, &v1.Empty{})

diff --git a/central/config/service/singleton.go b/central/config/service/singleton.go
@@ -2,6 +2,7 @@
 
 import (
 	"github.com/stackrox/rox/central/config/datastore"
+	"github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/pkg/sync"
 )
 
@@ -12,7 +13,7 @@
 )
 
 func initialize() {
-	as = New(datastore.Singleton())
+	as = New(datastore.Singleton(), aggregator.Singleton())
 }
 
 // Singleton provides the instance of the Service interface to register.

diff --git a/central/main.go b/central/main.go
@@ -108,6 +108,7 @@ import (
 	"github.com/stackrox/rox/central/jwt"
 	logimbueHandler "github.com/stackrox/rox/central/logimbue/handler"
 	metadataService "github.com/stackrox/rox/central/metadata/service"
+	customMetrics "github.com/stackrox/rox/central/metrics/aggregator"
 	"github.com/stackrox/rox/central/metrics/telemetry"
 	mitreService "github.com/stackrox/rox/central/mitre/service"
 	namespaceService "github.com/stackrox/rox/central/namespace/service"
@@ -381,6 +382,7 @@ func startServices() {
 	administrationUsageInjector.Singleton().Start()
 	gcp.Singleton().Start()
 	administrationEventHandler.Singleton().Start()
+	customMetrics.Singleton().Start()
 
 	if features.PlatformComponents.Enabled() {
 		platformReprocessor.Singleton().Start()
@@ -866,6 +868,16 @@ func customRoutes() (customRoutes []routes.CustomRoute) {
 			ServerHandler: certHandler.BackupCerts(listener.Singleton()),
 			Compression:   true,
 		},
+		{
+			// User configured Prometheus metrics will be exposed on this path.
+			// The access is behind authorization because the metric label
+			// values may include sensitive data, such as deployment names and
+			// CVEs.
+			Route:         "GET /metrics",
+			Authorizer:    user.With(permissions.View(resources.Administration)),
+			ServerHandler: customMetrics.Singleton(),
+			Compression:   true,
+		},
 	}
 	scannerDefinitionsRoute := "/api/extensions/scannerdefinitions"
 	// Only grant compression to well-known content types. It should capture files
@@ -962,6 +974,7 @@ func waitForTerminationSignal() {
 		{gcp.Singleton(), "GCP cloud credentials manager"},
 		{cloudSourcesManager.Singleton(), "cloud sources manager"},
 		{administrationEventHandler.Singleton(), "administration events handler"},
+		{customMetrics.Singleton(), "custom Prometheus metrics gatherer"},
 	}
 
 	stoppables = append(stoppables,

diff --git a/central/metrics/aggregator/common/tracker_base.go b/central/metrics/aggregator/common/tracker_base.go
@@ -6,13 +6,18 @@
 	"sync/atomic"
 	"time"
 
+	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stackrox/rox/central/metrics"
+	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/sync"
 )
 
-var log = logging.CreateLogger(logging.ModuleForName("central_metrics"), 1)
+var (
+	log             = logging.CreateLogger(logging.ModuleForName("central_metrics"), 1)
+	ErrStopIterator = errors.New("stopped")
+)
 
 type LazyLabel[Finding any] struct {
 	Label
@@ -31,6 +36,7 @@
 
 type Tracker interface {
 	Run(context.Context)
+	ValidateConfiguration(*storage.PrometheusMetrics_MetricGroup) (*Configuration, error)
 	Reconfigure(context.Context, *Configuration)
 }
 
@@ -87,6 +93,14 @@
 	return tracker
 }
 
+func (tracker *TrackerBase[Finding]) ValidateConfiguration(cfg *storage.PrometheusMetrics_MetricGroup) (*Configuration, error) {
+	current := tracker.GetConfiguration()
+	if current == nil {
+		current = &Configuration{}
+	}
+	return ValidateConfiguration(cfg, current.metrics, tracker.labelOrder)
+}
+
 // Reconfigure assumes the configuration has been validated, so doesn't return
 // an error.
 func (tracker *TrackerBase[Finding]) Reconfigure(ctx context.Context, cfg *Configuration) {
@@ -100,7 +114,7 @@
 			// Force track only on reconfiguration, not on the initial tracker
 			// creation.
 			if tracker.running.Load() {
 				tracker.track(ctx)
 			} else {
 				go tracker.Run(ctx)
 			}
@@ -120,10 +134,10 @@
 	}
 }

 func (tracker *TrackerBase[Finding]) unregisterMetric(metric MetricName) {
 	if metrics.UnregisterCustomAggregatedMetric(string(metric)) {
 		log.Debugf("Unregistered %s Prometheus metric %q", tracker.category, metric)
 	}
 }

 func labelsAsStrings(labels []Label) []string {
@@ -141,9 +155,9 @@
 		cfg.period,
 		labelsAsStrings(cfg.metrics[metric]),
 	); err != nil {
 		log.Errorf("Failed to register %s metric %q: %v", tracker.category, metric, err)
 		return
 	}
 	log.Debugf("Registered %s Prometheus metric %q", tracker.category, metric)
 }

@@ -183,8 +197,8 @@
 func (tracker *TrackerBase[Finding]) track(ctx context.Context) {
 	cfg := tracker.GetConfiguration()
 	if len(cfg.metrics) == 0 {
 		return
 	}
 	aggregator := makeAggregator(cfg.metrics, tracker.labelOrder, tracker.getters)
 	for finding := range tracker.generator(ctx, cfg.metrics) {
 		aggregator.count(finding)
@@ -209,8 +223,8 @@

 	// Return if no ticker or is already running.
 	if ticker == nil || !tracker.running.CompareAndSwap(false, true) {
 		return
 	}
 	defer tracker.running.Store(false)
 	defer ticker.Stop()

@@ -218,8 +232,8 @@

 	for {
 		select {
 		case <-ticker.C:
 			tracker.track(ctx)
 		case <-ctx.Done():
 			return
 		}

diff --git a/central/metrics/aggregator/image_vulnerabilities/labels.go b/central/metrics/aggregator/image_vulnerabilities/labels.go
@@ -1,23 +1,53 @@
 package image_vulnerabilities
 
 import (
+	"strconv"
+
 	"github.com/stackrox/rox/central/metrics/aggregator/common"
+	"github.com/stackrox/rox/central/platform/matcher"
 	"github.com/stackrox/rox/generated/storage"
 )
 
 var (
 	lazyLabels = []common.LazyLabel[finding]{
 		{Label: "Cluster", Getter: func(f *finding) string { return f.deployment.GetClusterName() }},
+		{Label: "Namespace", Getter: func(f *finding) string { return f.deployment.GetNamespace() }},
+		{Label: "Deployment", Getter: func(f *finding) string { return f.deployment.GetName() }},
+		{Label: "IsPlatformWorkload", Getter: isPlatformWorkload},
+
+		{Label: "ImageID", Getter: func(f *finding) string { return f.image.GetId() }},
+		{Label: "ImageRegistry", Getter: func(f *finding) string { return f.name.GetRegistry() }},
+		{Label: "ImageRemote", Getter: func(f *finding) string { return f.name.GetRemote() }},
+		{Label: "ImageTag", Getter: func(f *finding) string { return f.name.GetTag() }},
+		{Label: "Component", Getter: func(f *finding) string { return f.component.GetName() }},
+		{Label: "ComponentVersion", Getter: func(f *finding) string { return f.component.GetVersion() }},
+		{Label: "OperatingSystem", Getter: func(f *finding) string { return f.image.GetScan().GetOperatingSystem() }},
+
+		{Label: "CVE", Getter: func(f *finding) string { return f.vuln.GetCve() }},
+		{Label: "CVSS", Getter: func(f *finding) string { return strconv.FormatFloat(float64(f.vuln.GetCvss()), 'f', 1, 32) }},
+		{Label: "Severity", Getter: func(f *finding) string { return f.vuln.GetSeverity().String() }},
+		{Label: "SeverityV2", Getter: func(f *finding) string { return f.vuln.GetCvssV2().GetSeverity().String() }},
+		{Label: "SeverityV3", Getter: func(f *finding) string { return f.vuln.GetCvssV3().GetSeverity().String() }},
+		{Label: "IsFixable", Getter: func(f *finding) string { return strconv.FormatBool(f.vuln.GetFixedBy() != "") }},
 	}
 
-	labels = common.MakeLabelOrderMap(lazyLabels)
+	order = common.MakeLabelOrderMap(lazyLabels)
 )
 
 type finding struct {
 	deployment *storage.Deployment
+	image      *storage.Image
+	name       *storage.ImageName
+	component  *storage.EmbeddedImageScanComponent
+	vuln       *storage.EmbeddedVulnerability
+}
+
+func isPlatformWorkload(f *finding) string {
+	p, _ := matcher.Singleton().MatchDeployment(f.deployment)
+	return strconv.FormatBool(p)
 }
 
-func ValidateConfiguration(config map[string]*storage.PrometheusMetrics_MetricGroup_Labels) error {
-	_, err := common.TranslateMetricLabels(config, labels)
+func ValidateConfiguration(metricLabels map[string]*storage.PrometheusMetrics_MetricGroup_Labels) error {
+	_, err := common.TranslateMetricLabels(metricLabels, order)
 	return err
 }
diff --git a/central/metrics/aggregator/image_vulnerabilities/tracker.go b/central/metrics/aggregator/image_vulnerabilities/tracker.go
@@ -0,0 +1,57 @@
+package image_vulnerabilities
+
+import (
+	"context"
+	"iter"
+
+	"github.com/prometheus/client_golang/prometheus"
+	deploymentDS "github.com/stackrox/rox/central/deployment/datastore"
+	"github.com/stackrox/rox/central/metrics/aggregator/common"
+	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/search"
+)
+
+func New(gauge func(string, prometheus.Labels, int), ds deploymentDS.DataStore) *common.TrackerBase[finding] {
+	return common.MakeTrackerBase(
+		"vulnerabilities",
+		"aggregated CVEs",
+		lazyLabels,
+		func(ctx context.Context, mcfg common.MetricsConfiguration) iter.Seq[*finding] {
+			return trackVulnerabilityMetrics(ctx, mcfg, ds)
+		},
+		gauge)
+}
+
+func trackVulnerabilityMetrics(ctx context.Context, _ common.MetricsConfiguration, ds deploymentDS.DataStore) iter.Seq[*finding] {
+	return func(yield func(*finding) bool) {
+		finding := &finding{}
+		_ = ds.WalkByQuery(ctx, search.EmptyQuery(), func(deployment *storage.Deployment) error {
+			finding.deployment = deployment
+			images, err := ds.GetImagesForDeployment(ctx, deployment)
+			if err != nil {
+				return nil // Nothing can be done with this error here.
+			}
+			for _, finding.image = range images {
+				if !forEachImageVuln(yield, finding) {
+					return common.ErrStopIterator
+				}
+			}
+			return nil
+		})
+	}
+}
+
+// forEachImageVuln yields a finding for every vulnerability associated with
+// each image name.
+func forEachImageVuln(yield func(*finding) bool, f *finding) bool {
+	for _, f.component = range f.image.GetScan().GetComponents() {
+		for _, f.vuln = range f.component.GetVulns() {
+			for _, f.name = range f.image.GetNames() {
+				if !yield(f) {
+					return false
+				}
+			}
+		}
+	}
+	return true
+}