Set archived, traversal_ids upon vulnerability statistics ingestion

Why are we doing this work

As part of #512592 (closed) we're adding a new traversal_ids column to the vulnerability_statistics table. The corresponding model attributes need to be set by the IngestVulnerabilityStatistics task upon ingestion.

Further details

Existing query that upserts vulnerability statistics, collected by running a spec:

upsert query

INSERT INTO vulnerability_statistics
  AS target (project_id, letter_grade, created_at, updated_at, "info", "unknown", "low", "medium", "high", "critical")
  VALUES (1, 4, now(), now(), 0, 0, 0, 1, 0, 1), (17, 4, now(), now(), 0, 0, 0, 1, 0, 1)
ON CONFLICT (project_id)
  DO UPDATE SET
    "info" = TARGET."info" + EXCLUDED."info", "unknown" = TARGET."unknown" + EXCLUDED."unknown", "low" = TARGET."low" + EXCLUDED."low", "medium" = TARGET."medium" + EXCLUDED."medium", "high" = TARGET."high" + EXCLUDED."high", "critical" = TARGET."critical" + EXCLUDED."critical",
    letter_grade = (SELECT (
  CASE
  WHEN TARGET.critical + EXCLUDED.critical > 0 THEN
    4
  WHEN TARGET.high + TARGET.unknown + EXCLUDED.high + EXCLUDED.unknown > 0 THEN
    3
  WHEN TARGET.medium + EXCLUDED.medium > 0 THEN
    2
  WHEN TARGET.low + EXCLUDED.low > 0 THEN
    1
  ELSE
    0
  END
) as letter_grade
FROM
  (values (TARGET.critical, TARGET.unknown, TARGET.high, TARGET.medium, TARGET.low)) as TARGET (critical, unknown, high, medium, low),
  (values (EXCLUDED.critical, EXCLUDED.unknown, EXCLUDED.high, EXCLUDED.medium, EXCLUDED.low)) as EXCLUDED (critical, unknown, high, medium, low)
),
    updated_at = now()

Relevant links

#512592 (comment 2296600464)

Non-functional requirements

~~Documentation~~
~~Feature flag~~
~~Performance~~
Testing: update specs of ingestion task

Implementation plan

Update IngestVulnerabilityStatistics to set archived and traversal_ids when upserting rows.
Add specs for when these columns are upserted.

TBD: Should we upsert the vulnerability_statistics record even when the severity counts don't change? Right now the task exits early when they don't.

This is similar to updating similar columns in the IngestVulnerabilityReads::Update task.

Verification steps

rspec ee/spec/services/security/ingestion/tasks/ingest_vulnerability_statistics_spec.rb

Edited Jan 16, 2025 by Fabien Catteau