From efbee18dc90d50bf099acca998290a06fe3c584e Mon Sep 17 00:00:00 2001
From: Maxim Kholod <maxim.kholod@elastic.co>
Date: Tue, 15 Aug 2023 10:41:14 +0300
Subject: [PATCH] [Cloud Security] do not filter out CNVM documents with
 missing or unknown severity (#163419)

## Summary

This PR removes filtering vulnerabilities where the `severity` field is
missing or is different from CRITICAL, HIGH, MEDIUM or LOW. Right now
this is handled ok in the data grid but won't be reflected in the
severity map or trend chart components.
<img width="1728" alt="Screenshot 2023-08-08 at 17 42 46"
src="https://github.com/elastic/kibana/assets/478762/45ccf860-0cb7-4b03-ab51-5720dd7f90f9">



fixes
- https://github.com/elastic/security-team/issues/7289
---
 .../utils/get_safe_vulnerabilities_query_filter.ts  | 13 -------------
 .../vulnerabilities/utils/custom_sort_script.ts     | 10 +++++-----
 2 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/x-pack/plugins/cloud_security_posture/common/utils/get_safe_vulnerabilities_query_filter.ts b/x-pack/plugins/cloud_security_posture/common/utils/get_safe_vulnerabilities_query_filter.ts
index fb2bbd1c51273b..dace996d869065 100644
--- a/x-pack/plugins/cloud_security_posture/common/utils/get_safe_vulnerabilities_query_filter.ts
+++ b/x-pack/plugins/cloud_security_posture/common/utils/get_safe_vulnerabilities_query_filter.ts
@@ -5,7 +5,6 @@
  * 2.0.
  */
 import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
-import { VULNERABILITIES_SEVERITY } from '../constants';
 
 export const getSafeVulnerabilitiesQueryFilter = (query?: QueryDslQueryContainer) => ({
   ...query,
@@ -13,20 +12,8 @@ export const getSafeVulnerabilitiesQueryFilter = (query?: QueryDslQueryContainer
     ...query?.bool,
     filter: [
       ...((query?.bool?.filter as []) || []),
-      {
-        bool: {
-          minimum_should_match: 1,
-          should: [
-            { match_phrase: { 'vulnerability.severity': VULNERABILITIES_SEVERITY.CRITICAL } },
-            { match_phrase: { 'vulnerability.severity': VULNERABILITIES_SEVERITY.HIGH } },
-            { match_phrase: { 'vulnerability.severity': VULNERABILITIES_SEVERITY.MEDIUM } },
-            { match_phrase: { 'vulnerability.severity': VULNERABILITIES_SEVERITY.LOW } },
-          ],
-        },
-      },
       { exists: { field: 'vulnerability.score.base' } },
       { exists: { field: 'vulnerability.score.version' } },
-      { exists: { field: 'vulnerability.severity' } },
       { exists: { field: 'resource.id' } },
       { exists: { field: 'resource.name' } },
     ],
diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/custom_sort_script.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/custom_sort_script.ts
index bd1cb1df462213..d184b0ed568a45 100644
--- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/custom_sort_script.ts
+++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/custom_sort_script.ts
@@ -28,13 +28,13 @@ export const severitySortScript = (direction: string) => ({
     script: {
       lang: 'painless',
       inline:
-        "if(params.scores.containsKey(doc['vulnerability.severity'].value)) { return params.scores[doc['vulnerability.severity'].value];} return 1000;",
+        "if(doc.containsKey('vulnerability.severity') && !doc['vulnerability.severity'].empty && doc['vulnerability.severity'].size()!=0 && doc['vulnerability.severity'].value!=null && params.scores.containsKey(doc['vulnerability.severity'].value)) { return params.scores[doc['vulnerability.severity'].value];} return 0;",
       params: {
         scores: {
-          LOW: 0,
-          MEDIUM: 1,
-          HIGH: 2,
-          CRITICAL: 3,
+          LOW: 1,
+          MEDIUM: 2,
+          HIGH: 3,
+          CRITICAL: 4,
         },
       },
     },