I have an index containing vulnerable dependencies, and their status in repositories. I don't want to remove the alerts when they are resolved, as i also want to log that the vulnerability has been patched.
However, this means that i end up with some data that i'm not sure what would be the best way to deal with.
Here is a simplified example of how my data looks like
| _id | alert_id | repository | alert_name | action |
|---|---|---|---|---|
| 1 | 1 | car_repository | jwt | created |
| 2 | 2 | car_repository | express | created |
| 3 | 2 | car_repository | express | resolved |
| 4 | 5 | boat_repository | express | created |
| 5 | 3 | car_repository | log4j | resolved |
| 6 | 3 | car_repository | log4j | created |
| 7 | 4 | boat_repository | log4j | created |
In total, 5 vulnerability warnings has been created. 2 of them has been resolved. Now - what i want to do is show the current status. We have 3 active vulnerabilities still. How would i go about only showing the 3 relevant rows? (1, 4 and 7)
Keep in mind that i am still pretty new to using ELK/OpenStack, so i don't know if this is best solved using queries or filters, or if it would help dividing into multiple indices.
I'd say the easiest way would be to maintain 2 indices: one for actions with what you have in the table above and one with vulnerabilities and current status. So whenever you're creating a "created" action you would also create a vulnerability doc with status == "created" and when you create action which is not "created" you'll update_by_query that doc to set status = "resolved". Then your query would become super simple.
Alternative would be to use collapse but in my experience its behavior is quite confusing when you try to paginate or aggregate the results.