Skip to content

ROX-30963: Only query indicator fields needed for evalution #16965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dashrews78 merged 7 commits into from
Oct 1, 2025
Merged

ROX-30963: Only query indicator fields needed for evalution #16965

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c7471fa
first run
dashrews78 Sep 22, 2025
d7fc30b
some more updates
dashrews78 Sep 22, 2025
7011998
making sourcery happier
dashrews78 Sep 29, 2025
4737d61
fix a test add a test
dashrews78 Sep 30, 2025
4411dc1
fix some style and some tests
dashrews78 Sep 30, 2025
f8e6d33
implementing a suggestion
dashrews78 Sep 30, 2025
135af34
keep same behavior for signal time being nil
dashrews78 Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion central/pod/datastore/datastore_impl_real_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func (s *PodDatastoreSuite) SetupTest() {

indicatorStorage := processIndicatorStorage.New(s.postgres.DB)

s.indicatorDataStore = processIndicatorDataStore.New(
s.indicatorDataStore = processIndicatorDataStore.New(s.postgres.DB,
indicatorStorage, plopStorage, nil)

s.plopDS = plopDataStore.New(plopStorage, s.indicatorDataStore, s.postgres.DB)
Expand Down
21 changes: 21 additions & 0 deletions central/processbaseline/baselineutils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"time"

"github.com/pkg/errors"
"github.com/stackrox/rox/central/processindicator/views"
"github.com/stackrox/rox/generated/storage"
"github.com/stackrox/rox/pkg/protocompat"
"github.com/stackrox/rox/pkg/protoutils"
Expand Down Expand Up @@ -78,6 +79,26 @@ func IsStartupProcess(process *storage.ProcessIndicator) bool {
if process.ContainerStartTime == nil {
return false
}
// TODO(ROX-31107): Determine if nil SignalTime should be considered startup task. By this logic it is.
durationBetweenProcessAndContainerStart := protoutils.Sub(process.GetSignal().GetTime(), process.GetContainerStartTime())
return durationBetweenProcessAndContainerStart < ContainerStartupDuration
}

// IsStartupProcessView determines if the process is a startup process
// A process is considered a startup process if it happens within the first ContainerStartupDuration and was not scraped
// but instead pulled from exec
func IsStartupProcessView(process *views.ProcessIndicatorRiskView) bool {
if process.ContainerStartTime == nil {
return false
}
// TODO(ROX-31107): Determine if nil SignalTime should be considered startup task. By this logic it is.
durationBetweenProcessAndContainerStart := protoutils.Sub(protocompat.ConvertTimeToTimestampOrNil(process.SignalTime),
protocompat.ConvertTimeToTimestampOrNil(process.ContainerStartTime))
return durationBetweenProcessAndContainerStart < ContainerStartupDuration
}

// BaselineItemFromProcessView returns what we baseline for a given process.
// It exists to make sure that we're using the same thing in every place (name vs execfilepath).
func BaselineItemFromProcessView(process *views.ProcessIndicatorRiskView) string {
return process.ExecFilePath
}
3 changes: 2 additions & 1 deletion central/processbaseline/evaluator/evaluator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,15 @@ import (
baselinesStore "github.com/stackrox/rox/central/processbaseline/datastore"
baselineResultsStore "github.com/stackrox/rox/central/processbaselineresults/datastore"
indicatorsStore "github.com/stackrox/rox/central/processindicator/datastore"
"github.com/stackrox/rox/central/processindicator/views"
"github.com/stackrox/rox/generated/storage"
)

// An Evaluator evaluates process baselines, and stores their cached results.
//
//go:generate mockgen-wrapper
type Evaluator interface {
EvaluateBaselinesAndPersistResult(deployment *storage.Deployment) (violatingProcesses []*storage.ProcessIndicator, err error)
EvaluateBaselinesAndPersistResult(deployment *storage.Deployment) (violatingProcesses []*views.ProcessIndicatorRiskView, err error)
}

// New returns a new evaluator.
Expand Down
18 changes: 9 additions & 9 deletions central/processbaseline/evaluator/evaluator_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ import (
baselinesStore "github.com/stackrox/rox/central/processbaseline/datastore"
baselineResultsStore "github.com/stackrox/rox/central/processbaselineresults/datastore"
indicatorsStore "github.com/stackrox/rox/central/processindicator/datastore"
"github.com/stackrox/rox/central/processindicator/views"
"github.com/stackrox/rox/generated/storage"
processBaselinePkg "github.com/stackrox/rox/pkg/processbaseline"
"github.com/stackrox/rox/pkg/sac"
"github.com/stackrox/rox/pkg/sac/resources"
"github.com/stackrox/rox/pkg/search"
Expand Down Expand Up @@ -54,7 +54,7 @@ func (e *evaluator) persistResults(ctx context.Context, deployment *storage.Depl
return e.baselineResults.UpsertBaselineResults(ctx, results)
}

func (e *evaluator) EvaluateBaselinesAndPersistResult(deployment *storage.Deployment) (violatingProcesses []*storage.ProcessIndicator, err error) {
func (e *evaluator) EvaluateBaselinesAndPersistResult(deployment *storage.Deployment) (violatingProcesses []*views.ProcessIndicatorRiskView, err error) {
containerNameToBaselinedProcesses := make(map[string]*set.StringSet)
containerNameToBaselineResults := make(map[string]*storage.ContainerNameAndBaselineStatus)

Expand Down Expand Up @@ -86,29 +86,29 @@ func (e *evaluator) EvaluateBaselinesAndPersistResult(deployment *storage.Deploy
}
}

var processes []*storage.ProcessIndicator
var processes []*views.ProcessIndicatorRiskView
if hasAtLeastOneLockedBaseline {
processes, err = e.indicators.SearchRawProcessIndicators(evaluatorCtx, search.NewQueryBuilder().AddExactMatches(search.DeploymentID, deployment.GetId()).ProtoQuery())
processes, err = e.indicators.GetProcessIndicatorsRiskView(evaluatorCtx, search.NewQueryBuilder().AddExactMatches(search.DeploymentID, deployment.GetId()).ProtoQuery())
if err != nil {
return nil, errors.Wrapf(err, "searching process indicators for deployment %s/%s/%s", deployment.GetClusterName(), deployment.GetNamespace(), deployment.GetName())
}
}
for _, process := range processes {
processSet, exists := containerNameToBaselinedProcesses[process.GetContainerName()]
processSet, exists := containerNameToBaselinedProcesses[process.ContainerName]
// If no explicit baseline, then all processes are valid.
if !exists {
continue
}
baselineItem := processBaselinePkg.BaselineItemFromProcess(process)
baselineItem := processbaseline.BaselineItemFromProcessView(process)
if baselineItem == "" {
continue
}
if processbaseline.IsStartupProcess(process) {
if processbaseline.IsStartupProcessView(process) {
continue
}
if !processSet.Contains(processBaselinePkg.BaselineItemFromProcess(process)) {
if !processSet.Contains(processbaseline.BaselineItemFromProcessView(process)) {
violatingProcesses = append(violatingProcesses, process)
containerNameToBaselineResults[process.GetContainerName()].AnomalousProcessesExecuted = true
containerNameToBaselineResults[process.ContainerName].AnomalousProcessesExecuted = true
}
}

Expand Down
Loading
Loading