aws.inspector: fix CLOSED/SUPPRESSED findings staying ACTIVE#19918
aws.inspector: fix CLOSED/SUPPRESSED findings staying ACTIVE#19918kcreddy wants to merge 7 commits into
Conversation
AWS Inspector findings that were marked CLOSED or SUPPRESSED in AWS remained ACTIVE in Elastic, inflating active vulnerability counts on the Vulnerability Findings page. Two independent defects caused this. Ingestion gap: the httpjson input polled and advanced its cursor on lastObservedAt, which AWS freezes once it stops observing a finding. Status transitions to CLOSED/SUPPRESSED (which move updatedAt, not lastObservedAt) fell outside the poll window and were never collected. Switch the filter to updatedAt. Because the Inspector API cannot sort by updatedAt, the cursor stores the poll time as a time-based high-water mark instead of the last event's timestamp. Transform gap: the latest transform source query filtered on aws.inspector.status: ACTIVE, so SUPPRESSED/CLOSED documents never entered the transform and could not displace the stale ACTIVE record. Remove that filter so the latest document per finding reflects the current status, and bump fleet_transform_version to reinstall. Map aws.inspector.status to the ECS vulnerability.status field (ACTIVE/SUPPRESSED -> open, CLOSED -> fixed) so remediated findings can be filtered out on the Vulnerability Findings page. SUPPRESSED is mapped to open because the vulnerability is still present; users can hide it with NOT aws.inspector.status: SUPPRESSED. Document this in the Inspector README and add the vulnerability.status field to the data stream and transform mappings.
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
…fsets the poll cursor to tolerate delay between when a finding's `updatedAt` is set and when it becomes available from the API, preventing missed findings.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
This comment has been minimized.
This comment has been minimized.
|
|
||
| ## Vulnerability status | ||
|
|
||
| The integration maps the Amazon Inspector finding status (`aws.inspector.status`) to the ECS `vulnerability.status` field so the [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3) can distinguish active from remediated findings: |
There was a problem hiding this comment.
Severity: 🔵 Low confidence: high path: packages/aws/_dev/build/docs/inspector.md:54
Docs call vulnerability.status an ECS field, but it is a custom package field; reword to avoid implying ECS provenance.
Details
The new section states the integration maps aws.inspector.status to "the ECS vulnerability.status field". ECS has no vulnerability.status field (the ECS vulnerability field set ends at vulnerability.severity). This PR correctly defines vulnerability.status as a custom keyword in fields/vulnerability.yml, so it is a package-defined field, not ECS. The same inaccurate "ECS" phrasing also appears in changelog.yml (6.21.0 enhancement entry) and in the ingest_pipeline/default.yml comment ("ECS vulnerability lifecycle field"). Calling a custom field an ECS field can mislead maintainers about its provenance and mapping guarantees.
Recommendation:
Describe it as a custom field mapped alongside ECS vulnerability.* fields rather than an ECS field. For example:
The integration maps the Amazon Inspector finding status (`aws.inspector.status`) to the package field `vulnerability.status` so the [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3) can distinguish active from remediated findings:Apply the same wording fix to the changelog entry and the pipeline comment for consistency.
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
There was a problem hiding this comment.
@kcreddy - seems right according to https://www.elastic.co/docs/reference/ecs/ecs-vulnerability
There was a problem hiding this comment.
Yeah the field is still in RFC until 9.5. Changed the wording in 2ce4301.
I am more concerned about the bot finding these pre-existing issues late. The bot's earlier review had no issues: #19918 (comment) and my latest commit had nothing to do with the current issue.
I found this has been case with community PRs as well. The community author fixes the bot's current issues, and then the bot finds new issues (not related to latest commit, but from much earlier commits).
I think it causes slower merges, increased CI costs, and also reviewer fatigue.
Review summaryIssues found across the latest commits 5aefd1f — 1 low
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
|
TL;DR
Remediation
Investigation detailsRoot CauseThis is generated documentation drift. Buildkite regenerated Evidence in the PR head: The sample event timestamps come from the Inspector mock response template, which uses relative So after regenerating Evidence
Verification
What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
|
✅ All changelog entries have the correct PR link. |
💔 Build Failed
Failed CI StepsHistory
cc @kcreddy |
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Screenshots
Confirmed transform index now populates CLOSED vulnerabilities.