Merge pull request #5003 from wazuh/fix/4938-timeout-increase

Fix timeout and performance issues in Indexer E2E requests

CHANGELOG.md

@@ -37,6 +37,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- Fix timeout and performance issues in E2E Vulnerability Detector tests ([#5003](https:/wazuh/wazuh-qa/pull/5003)) \- (Framework)
 - Fix E2E Vulnerability Detection monitoring function ([#4959](https:/wazuh/wazuh-qa/pull/4959)) \- (Framework)
 - Fixed Filebeat provisioning role with pre-release and staging URLs ([#4950](https:/wazuh/wazuh-qa/pull/4950)) \- (Framework)
 - Fix macOS Vulnerability Detection handler provision in E2E tests ([#4948](https:/wazuh/wazuh-qa/pull/4948)) \- (Framework)

deps/wazuh_testing/wazuh_testing/end_to_end/indexer_api.py

@@ -22,7 +22,7 @@
 
 
 def get_indexer_values(host_manager: HostManager, credentials: dict = {'user': 'admin', 'password': 'changeme'},
- index: str = 'wazuh-alerts*', greater_than_timestamp=None) -> Dict:
+ index: str = 'wazuh-alerts*', greater_than_timestamp=None, agent: str = '') -> Dict:
  """
  Get values from the Wazuh Indexer API.
 
@@ -32,6 +32,7 @@ def get_indexer_values(host_manager: HostManager, credentials: dict = {'user': '
  {'user': 'admin', 'password': 'changeme'}.
  index (Optional): The Indexer index name. Defaults to 'wazuh-alerts*'.
  greater_than_timestamp (Optional): The timestamp to filter the results. Defaults to None.
+ agent (Optional): The agent name to filter the results. Defaults to ''.
 
  Returns:
  Dict: A dictionary containing the values retrieved from the Indexer API.
@@ -49,26 +50,37 @@ def get_indexer_values(host_manager: HostManager, credentials: dict = {'user': '
  }
  }
 
- if greater_than_timestamp:
+ if greater_than_timestamp and agent:
+ query = {
+ "bool": {
+ "must": [
+ {"range": {"@timestamp": {"gte": f"{greater_than_timestamp}"}}},
+ {"match": {"agent.name": f"{agent}"}}
+ ]
+ }
+ }
+
+ data['query'] = query
+ elif greater_than_timestamp:
  query = {
  "bool": {
  "must": [
- {"match_all": {}},
  {"range": {"@timestamp": {"gte": f"{greater_than_timestamp}"}}}
  ]
  }
  }
 
- sort = [
- {
- "@timestamp": {
- "order": "desc"
+ data['query'] = query
+ elif agent:
+ query = {
+ "bool": {
+ "must": [
+ {"match": {"agent.name": f"{agent}"}}
+ ]
  }
- }
- ]
+ }
 
  data['query'] = query
- data['sort'] = sort
 
  param = {
  'pretty': 'true',

deps/wazuh_testing/wazuh_testing/end_to_end/monitoring.py

@@ -140,7 +140,7 @@ def filter_events_by_timestamp(match_events: List) -> List:
 
  sleep(scan_interval)
 
- current_timeout += scan_interval
+ current_timeout = current_timeout + scan_interval
 
  if not regex_match:
  elements_not_found.append(element)

deps/wazuh_testing/wazuh_testing/end_to_end/regex.py

@@ -44,6 +44,12 @@
  'regex': '.*HOST_NAME.*package":.*name":"PACKAGE_NAME".*version":"PACKAGE_VERSION".*"'
  'architecture":"ARCHITECTURE.*"cve":"CVE"',
  'parameters': ['HOST_NAME', 'CVE', 'PACKAGE_NAME', 'PACKAGE_VERSION', 'ARCHITECTURE']
+ },
+ 'vuln_affected': {
+ 'regex': 'CVE.*? affects.*"?'
+ },
+ 'vuln_mitigated': {
+ 'regex': "The .* that affected .* was solved due to a package removal"
  }
 }
 

deps/wazuh_testing/wazuh_testing/end_to_end/vulnerability_detector.py

@@ -6,9 +6,7 @@
 Functions:
  - load_packages_metadata: Load packages metadata from the packages.json file.
  - check_vuln_state_index: Check vulnerability state index for a host.
- - get_alerts_by_agent: Get specific alerts by agent.
  - get_indexed_vulnerabilities_by_agent: Get indexed vulnerabilities by agent.
- - get_vulnerabilities_alerts_indexer: Get vulnerabilities alerts by agent.
  - check_vuln_alert_indexer: Check vulnerability alerts in the indexer for a host.
 
 
@@ -24,6 +22,7 @@
 
 from wazuh_testing.tools.system import HostManager
 from wazuh_testing.end_to_end.indexer_api import get_indexer_values
+from wazuh_testing.end_to_end.regex import REGEX_PATTERNS 
 
 
 def load_packages_metadata() -> Dict:
@@ -107,28 +106,31 @@ def check_vuln_state_index(host_manager: HostManager, host: str, package: Dict[s
  return expected_alerts_not_found
 
 
-def get_alerts_by_agent(alerts, regex) -> Dict:
+def parse_vulnerability_detector_alerts(alerts) -> Dict:
  """
- Get specific alerts by agent.
+ Parse vulnerability detector alerts.
 
  Args:
  alerts (list): List of alerts.
- regex (str): Regular expression to match the alerts.
 
  Returns:
  dict: Dictionary containing the alerts by agent.
  """
- alerts_vuln_by_agent = {}
+ vulnerability_detector_alerts = {}
+ vulnerability_detector_alerts['affected'] = []
+ vulnerability_detector_alerts['mitigated'] = []
 
+ vuln_affected_regex = REGEX_PATTERNS['vuln_affected']['regex']
+ vuln_mitigated_regex = REGEX_PATTERNS['vuln_mitigated']['regex']
+
+ # Parse affected vuln alerts
  for alert in alerts:
- if re.match(regex, alert['_source']['rule']['description']):
- if 'agent' in alert['_source']:
- agent = alert['_source']['agent']['name']
- if agent not in alerts_vuln_by_agent:
- alerts_vuln_by_agent[agent] = []
- alerts_vuln_by_agent[agent].append(alert)
+ if re.match(vuln_affected_regex, alert['_source']['rule']['description']):
+ vulnerability_detector_alerts['affected'].append(alert)
+ elif re.match(vuln_mitigated_regex['regex'], alert['_source']['rule']['description']):
+ vulnerability_detector_alerts['mitigated'].append(alert)
 
- return alerts_vuln_by_agent
+ return vulnerability_detector_alerts
 
 
 def get_indexed_vulnerabilities_by_agent(indexed_vulnerabilities) -> Dict:
@@ -152,28 +154,6 @@ def get_indexed_vulnerabilities_by_agent(indexed_vulnerabilities) -> Dict:
  return vulnerabilities_by_agent
 
 
-def get_vulnerabilities_alerts_indexer(host_manager: HostManager, greater_than_timestamp: str = "",
- vuln_mitigated=False) -> Dict:
- """Get vulnerabilities alerts by agent.
-
- Args:
- host_manager (HostManager): An instance of the HostManager class containing information about hosts.
- host (str): Host name.
- greater_than_timestamp (str): Datetime to filter the vulnerability state index.
- vuln_mitigated (bool): Indicates if the vulnerability is mitigated.
-
- Returns:
- dict: Dictionary containing the indexed vulnerabilities by agent.
- """
-
- indexer_alerts = get_indexer_values(host_manager, greater_than_timestamp=greater_than_timestamp)['hits']['hits']
-
- regex_to_match = "CVE.* affects .*" if not vuln_mitigated else \
- "The .* that affected .* was solved due to a package removal"
-
- return get_alerts_by_agent(indexer_alerts, regex_to_match)
-
-
 def check_vuln_alert_indexer(vulnerabilities_alerts: Dict, host: str, package: Dict[str, Dict],
  current_datetime: str = '') -> List:
  """