Add vulnerabilities risk score finder (!209324) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Adds risk score aggregation query to Search::Elastic::VulnerabilityAggregations
Uses the above query in Search::Elastic::VulnerabilityQueryBuilder
Creates Security::VulnerabilityElasticRiskScoresFinder which uses the above query to fetch project/group risk scores.

Logic -

Project/Group Risk Score = min(1.0, (ΣVulnerability_risk_score + (ΣVulnerability_age_in_month) x 0.005) × 1/√(number_of_vulnerabilities))

Keeping that in mind if we look at the score formula closely vulnerability_age_in_months is nothing but -

Σ(current_time - created_at) which can be simplified further to

Num_vulnerabilities*current_epoch_time - Σcreated_at_in_epoch_time

We can then use this simplification to calculate total risk scores without using scripts. More info on the issue - #571079 (comment 2816510162)

References

Relates to - #571079

Screenshots or screen recordings

Before	After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 21, 2025 by Rushik Subba

Add vulnerabilities risk score finder

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports