[Cloud Security] Update Vulnerability Flyout to match Security Solution Flyout (#218515)

## Summary

This PR covers both, changing the way we render Vulnerability Flyout as
well as Updating the UI for the Vulnerability flyout.

This PR also combines both UI updates for Vulnerability Flyout ( one of
the Expandable flyout and the other for supporting multiple value for a
given fields)

Now Vulnerability flyout will have similar looks to other Flyout from
Security Solution and instead of rendering it normally, we are using
Expandable API hook to call what Flyout it supposed to render


https://github.com/user-attachments/assets/898a1f12-be6f-4f78-9e9f-3ac8af2a153d

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: alex prozorov <[email protected]>

Author: 3 people

.github/CODEOWNERS

@@ -2640,6 +2640,7 @@ x-pack/solutions/security/plugins/security_solution/public/cloud_security_postur
 x-pack/solutions/security/plugins/security_solution/public/kubernetes @elastic/kibana-cloud-security-posture
 x-pack/solutions/security/plugins/security_solution/server/lib/asset_inventory @elastic/kibana-cloud-security-posture
 x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/universal_right @elastic/kibana-cloud-security-posture
+/x-pack/solutions/security/plugins/security_solution/public/flyout/csp_details @elastic/kibana-cloud-security-posture
 
 ## Fleet plugin (co-owned with Fleet team)
 x-pack/platform/plugins/shared/fleet/public/components/cloud_security_posture @elastic/fleet @elastic/kibana-cloud-security-posture

x-pack/platform/plugins/private/translations/translations/fr-FR.json

@@ -15416,22 +15416,11 @@
     "xpack.csp.vulnerabilities.groupUnit.resource": "{groupCount} {groupCount, plural, =1 {ressource} other {ressources}}",
     "xpack.csp.vulnerabilities.unit": "{totalCount, plural, =1 {vulnérabilité} other {vulnérabilités}}",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.packageTitle": "Pack",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceId": "ID ressource",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceName": "Nom de ressource",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.versionTitle": "Version",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.jsonTabLabel": "JSON",
-    "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.loadingAriaLabel": "Chargement",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.overviewTabLabel": "Aperçu",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.tableTabLabel": "Tableau",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.alertsTitle": "Alertes",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.descriptionTitle": "Description",
     "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.emptyFixesMessage": "Aucun correctif n'est disponible pour l'instant.",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.fixes": "Corrigé par",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vendorTitle": "Fournisseur",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vulnerabilityScores": "Scores de vulnérabilité",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.cvsScore": "CVSS",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.dataSource": "Source de données",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.publishedDateText": "{date}",
     "xpack.csp.vulnerabilitiesByResource.severityMap.tooltipTitle": "Carte des degrés de gravité",
     "xpack.csp.vulnerability_dashboard.cspPageTemplate.pageTitle": "Gestion des vulnérabilités natives du cloud",
     "xpack.csp.vulnerabilityDashboard.trendGraphChart.accountsDropDown.option.allTitle": "Tous",

x-pack/platform/plugins/private/translations/translations/ja-JP.json

@@ -15397,22 +15397,11 @@
     "xpack.csp.vulnerabilities.groupUnit.resource": "{groupCount} {groupCount, plural, other {個のリソース}}",
     "xpack.csp.vulnerabilities.unit": "{totalCount, plural, other {脆弱性}}",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.packageTitle": "パッケージ",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceId": "リソースID",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceName": "リソース名",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.versionTitle": "Version",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.jsonTabLabel": "JSON",
-    "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.loadingAriaLabel": "読み込み中",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.overviewTabLabel": "概要",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.tableTabLabel": "表",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.alertsTitle": "アラート",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.descriptionTitle": "説明",
     "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.emptyFixesMessage": "まだ利用可能な修正はありません。",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.fixes": "修正者",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vendorTitle": "ベンダー",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vulnerabilityScores": "脆弱性スコア",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.cvsScore": "CVSS",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.dataSource": "データソース",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.publishedDateText": "{date}",
     "xpack.csp.vulnerabilitiesByResource.severityMap.tooltipTitle": "重要度マップ",
     "xpack.csp.vulnerability_dashboard.cspPageTemplate.pageTitle": "Cloud Native Vulnerability Management",
     "xpack.csp.vulnerabilityDashboard.trendGraphChart.accountsDropDown.option.allTitle": "すべて",

x-pack/platform/plugins/private/translations/translations/zh-CN.json

@@ -15431,22 +15431,11 @@
     "xpack.csp.vulnerabilities.groupUnit.resource": "{groupCount} 个{groupCount, plural, other {资源}}",
     "xpack.csp.vulnerabilities.unit": "{totalCount, plural, other {个漏洞}}",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.packageTitle": "软件包",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceId": "资源 ID",
-    "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.resourceName": "资源名称",
     "xpack.csp.vulnerabilities.vulnerabilitiesFindingFlyout.flyoutDescriptionList.versionTitle": "版本",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.jsonTabLabel": "JSON",
-    "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.loadingAriaLabel": "正在加载",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.overviewTabLabel": "概览",
     "xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.tableTabLabel": "表",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.alertsTitle": "告警",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.descriptionTitle": "描述",
     "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.emptyFixesMessage": "尚没有修复可用。",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.fixes": "固定方式",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vendorTitle": "向量",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTab.vulnerabilityScores": "漏洞分数",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.cvsScore": "CVSS",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.dataSource": "数据源",
-    "xpack.csp.vulnerabilities.vulnerabilityOverviewTile.publishedDateText": "{date}",
     "xpack.csp.vulnerabilitiesByResource.severityMap.tooltipTitle": "严重性映射",
     "xpack.csp.vulnerability_dashboard.cspPageTemplate.pageTitle": "云原生漏洞管理",
     "xpack.csp.vulnerabilityDashboard.trendGraphChart.accountsDropDown.option.allTitle": "全部",

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/index.ts

@@ -24,3 +24,4 @@ export { createMisconfigurationFindingsQuery } from './src/utils/findings_query_
 export { ActionableBadge, type MultiValueCellAction } from './src/components/actionable_badge';
 export { MultiValueCellPopover } from './src/components/multi_value_cell_popover';
 export { findReferenceLink } from './src/utils/find_reference_link.util';
+export { getVulnerabilitiesQuery } from './src/utils/findings_query_builders';

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/src/hooks/use_vulnerability_finding.ts

@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { useQuery } from '@tanstack/react-query';
+import { useKibana } from '@kbn/kibana-react-plugin/public';
+import { lastValueFrom } from 'rxjs';
+import type { IKibanaSearchResponse, IKibanaSearchRequest } from '@kbn/search-types';
+import {
+  SearchRequest,
+  SearchResponse,
+  AggregationsMultiBucketAggregateBase,
+  AggregationsStringRareTermsBucketKeys,
+} from '@elastic/elasticsearch/lib/api/types';
+import type { CspVulnerabilityFinding } from '@kbn/cloud-security-posture-common/schema/vulnerabilities/latest';
+import type { CoreStart } from '@kbn/core/public';
+import {
+  CDR_3RD_PARTY_RETENTION_POLICY,
+  CDR_VULNERABILITIES_INDEX_PATTERN,
+} from '@kbn/cloud-security-posture-common';
+import type { CspClientPluginStartDeps, UseCspOptions } from '../types';
+import { showErrorToast } from '../..';
+
+type LatestFindingsRequest = IKibanaSearchRequest<SearchRequest>;
+type LatestFindingsResponse = IKibanaSearchResponse<
+  SearchResponse<CspVulnerabilityFinding, FindingsAggs>
+>;
+
+interface FindingsAggs {
+  count: AggregationsMultiBucketAggregateBase<AggregationsStringRareTermsBucketKeys>;
+}
+
+const buildGetVulnerabilityFindingsQuery = ({ query }: UseCspOptions) => ({
+  index: CDR_VULNERABILITIES_INDEX_PATTERN,
+  size: 1,
+  ignore_unavailable: true,
+  query: buildVulnerabilityFindingsQueryWithFilters(query),
+});
+
+const buildVulnerabilityFindingsQueryWithFilters = (query: UseCspOptions['query']) => {
+  return {
+    ...query,
+    bool: {
+      ...query?.bool,
+      filter: [
+        ...(query?.bool?.filter ?? []),
+        {
+          range: {
+            '@timestamp': {
+              gte: `now-${CDR_3RD_PARTY_RETENTION_POLICY}`,
+              lte: 'now',
+            },
+          },
+        },
+      ],
+    },
+  };
+};
+
+export const useVulnerabilityFinding = (options: UseCspOptions) => {
+  const {
+    data,
+    notifications: { toasts },
+  } = useKibana<CoreStart & CspClientPluginStartDeps>().services;
+  /**
+   * We're using useInfiniteQuery in this case to allow the user to fetch more data (if available and up to 10k)
+   * useInfiniteQuery differs from useQuery because it accumulates and caches a chunk of data from the previous fetches into an array
+   * it uses the getNextPageParam to know if there are more pages to load and retrieve the position of
+   * the last loaded record to be used as a from parameter to fetch the next chunk of data.
+   */
+  return useQuery(
+    ['csp_vulnerabilities_findings', { params: options }],
+    async () => {
+      const {
+        rawResponse: { hits },
+      } = await lastValueFrom(
+        data.search.search<LatestFindingsRequest, LatestFindingsResponse>({
+          params: buildGetVulnerabilityFindingsQuery(options) as LatestFindingsRequest['params'],
+        })
+      );
+      return {
+        result: hits,
+      };
+    },
+    {
+      keepPreviousData: true,
+      enabled: options.enabled,
+      onError: (err: Error) => showErrorToast(toasts, err),
+    }
+  );
+};

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/src/types.ts

@@ -22,7 +22,11 @@ import type { FleetStart } from '@kbn/fleet-plugin/public';
 import type { UsageCollectionStart } from '@kbn/usage-collection-plugin/public';
 import { SharePluginStart } from '@kbn/share-plugin/public';
 import { SpacesPluginStart } from '@kbn/spaces-plugin/public';
-import { CspFinding, RuleResponse } from '@kbn/cloud-security-posture-common';
+import {
+  CspFinding,
+  CspVulnerabilityFinding,
+  RuleResponse,
+} from '@kbn/cloud-security-posture-common';
 import type { estypes } from '@elastic/elasticsearch';
 import type { IKibanaSearchResponse, IKibanaSearchRequest } from '@kbn/search-types';
 
@@ -131,3 +135,32 @@ export interface FindingMisconfigurationFlyoutContentProps {
   createRuleFn: (http: HttpSetup) => Promise<RuleResponse>;
   isPreviewMode?: boolean;
 }
+
+export interface FindingVulnerabilityFlyoutProps extends Record<string, unknown> {
+  vulnerabilityId: string | string[];
+  resourceId: string;
+  packageName: string | string[];
+  packageVersion: string | string[];
+  eventId: string;
+}
+export interface FindingVulnerabilityPanelExpandableFlyoutProps extends FlyoutPanelProps {
+  key: 'findings-vulnerability-panel';
+  params: FindingVulnerabilityFlyoutProps;
+}
+
+export interface FindingsVulnerabilityFlyoutHeaderProps {
+  finding: CspVulnerabilityFinding;
+}
+
+export interface FindingsVulnerabilityFlyoutContentProps {
+  finding: CspVulnerabilityFinding;
+}
+
+export interface FindingsVulnerabilityFlyoutFooterProps {
+  createRuleFn: (http: HttpSetup) => Promise<RuleResponse>;
+}
+
+export interface FindingVulnerabilityFullFlyoutContentProps {
+  finding: CspVulnerabilityFinding;
+  createRuleFn: (http: HttpSetup) => Promise<RuleResponse>;
+}

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/src/utils/findings_query_builders.ts

@@ -240,3 +240,40 @@ export const createMisconfigurationFindingsQuery = (resourceId?: string, ruleId?
     },
   };
 };
+
+/* 
+The event.id is important in this query because removing it can lead to unintended results—specifically, 
+if vulnerabilityId = ['a'], the query may return documents where vulnerabilityId is ['a'], ['a', 'b'], and so on. 
+This happens because the check only verifies if the value exists within the combined string representation.
+*/
+export const createGetVulnerabilityFindingsQuery = (
+  vulnerabilityId?: string | string[],
+  resourceId?: string | string[],
+  packageName?: string | string[],
+  packageVersion?: string | string[],
+  eventId?: string | string[]
+) => {
+  const filters: Array<{ terms: Record<string, string[]> }> = [];
+
+  const addTermFilter = (field: string, value?: string | string[]) => {
+    if (value !== undefined) {
+      filters.push({
+        terms: {
+          [field]: Array.isArray(value) ? value : [value],
+        },
+      });
+    }
+  };
+
+  addTermFilter('vulnerability.id', vulnerabilityId);
+  addTermFilter('resource.id', resourceId);
+  addTermFilter('package.name', packageName);
+  addTermFilter('package.version', packageVersion);
+  addTermFilter('event.id', eventId);
+
+  return {
+    bool: {
+      filter: filters,
+    },
+  };
+};

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/src/utils/is_native_csp_finding.test.ts

@@ -50,7 +50,6 @@ describe('isNativeCspFinding', () => {
         dataset: undefined,
       },
     } as CspFinding;
-
     expect(isNativeCspFinding(findingWithUndefinedDataset)).toBe(false);
   });
 });

x-pack/solutions/security/packages/kbn-cloud-security-posture/public/src/utils/is_native_csp_finding.ts

@@ -7,8 +7,10 @@
 
 import { CspFinding, CSP_MISCONFIGURATIONS_DATASET } from '@kbn/cloud-security-posture-common';
 import { CspVulnerabilityFinding } from '@kbn/cloud-security-posture-common/schema/vulnerabilities/csp_vulnerability_finding';
-import { CSP_VULN_DATASET } from './get_vendor_name';
+import { CSP_VULN_DATASET, QUALYS_VULN_DATASET, WIZ_VULN_DATASET } from './get_vendor_name';
 
 export const isNativeCspFinding = (finding: CspFinding | CspVulnerabilityFinding) =>
   finding.data_stream?.dataset === CSP_MISCONFIGURATIONS_DATASET ||
-  finding.data_stream?.dataset === CSP_VULN_DATASET;
+  finding.data_stream?.dataset === CSP_VULN_DATASET ||
+  finding.data_stream?.dataset === WIZ_VULN_DATASET ||
+  (finding.data_stream?.dataset?.startsWith(QUALYS_VULN_DATASET) ?? false);

x-pack/solutions/security/plugins/cloud_security_posture/public/common/hooks/use_expandable_flyout_csp.ts

@@ -6,11 +6,13 @@
  */
 
 import { useContext, useCallback, useState } from 'react';
-import { CspFinding } from '@kbn/cloud-security-posture-common';
+import { CspFinding, CspVulnerabilityFinding } from '@kbn/cloud-security-posture-common';
 import { DataTableRecord } from '@kbn/discover-utils';
 import { SecuritySolutionContext } from '../../application/security_solution_context';
 
-export const useExpandableFlyoutCsp = () => {
+export const useExpandableFlyoutCsp = (
+  flyoutType: 'misconfiguration' | 'vulnerability' = 'misconfiguration'
+) => {
   const [expandedDoc, setExpandedDoc] = useState<DataTableRecord | undefined>(undefined);
   const securitySolutionContext = useContext(SecuritySolutionContext);
 
@@ -34,18 +36,36 @@ export const useExpandableFlyoutCsp = () => {
   setFlyoutCloseCallback(setExpandedDoc);
 
   const onExpandDocClick = (record?: DataTableRecord | undefined) => {
+    let finding;
     if (record) {
-      const finding = record?.raw?._source as unknown as CspFinding;
-      setExpandedDoc(record);
-      openFlyout({
-        right: {
-          id: 'findings-misconfiguration-panel',
-          params: {
-            resourceId: finding.resource.id,
-            ruleId: finding.rule.id,
+      if (flyoutType === 'vulnerability') {
+        finding = record?.raw?._source as unknown as CspVulnerabilityFinding;
+        setExpandedDoc(record);
+        openFlyout({
+          right: {
+            id: 'findings-vulnerability-panel',
+            params: {
+              vulnerabilityId: finding?.vulnerability?.id,
+              resourceId: finding?.resource?.id,
+              packageName: finding?.package?.name,
+              packageVersion: finding?.package?.version,
+              eventId: finding?.event?.id,
+            },
           },
-        },
-      });
+        });
+      } else {
+        finding = record?.raw?._source as unknown as CspFinding;
+        setExpandedDoc(record);
+        openFlyout({
+          right: {
+            id: 'findings-misconfiguration-panel',
+            params: {
+              resourceId: finding.resource.id,
+              ruleId: finding.rule.id,
+            },
+          },
+        });
+      }
     } else {
       closeFlyout();
       setExpandedDoc(undefined);

x-pack/solutions/security/plugins/cloud_security_posture/public/components/cloud_security_data_table/cloud_security_data_table.tsx

@@ -101,6 +101,8 @@ export interface CloudSecurityDataTableProps {
    * Specify if distribution bar is shown on data table, used to calculate height of data table in virtualized mode
    */
   hasDistributionBar?: boolean;
+  /* Specify Flyout type so the expandable API hook knows what parameter it uses to call the flout */
+  flyoutType?: 'misconfiguration' | 'vulnerability';
 }
 
 export const CloudSecurityDataTable = ({
@@ -118,6 +120,7 @@ export const CloudSecurityDataTable = ({
   createRuleFn,
   columnHeaders,
   hasDistributionBar = true,
+  flyoutType = 'misconfiguration',
   ...rest
 }: CloudSecurityDataTableProps) => {
   const {
@@ -247,7 +250,7 @@ export const CloudSecurityDataTable = ({
     return customCellRenderer(rows);
   }, [customCellRenderer, rows]);
 
-  const { expandedDoc, onExpandDocClick } = useExpandableFlyoutCsp();
+  const { expandedDoc, onExpandDocClick } = useExpandableFlyoutCsp(flyoutType);
 
   if (!onExpandDocClick) {
     return <></>;
@@ -325,7 +328,7 @@ export const CloudSecurityDataTable = ({
           height: computeDataTableRendering.wrapperHeight,
         }}
       >
-        <EuiProgress size="xs" color="accent" style={loadingStyle} />
+        <EuiProgress size="xs" color="accent" css={loadingStyle} />
         <UnifiedDataTable
           key={computeDataTableRendering.mode}
           className={styles.gridStyle}