Add vulnerabilitiesCountByDay with vulnerability statistics

This change adds new field to Group and InstanceSecurityDashboard types
to fetch statistics about vulnerabilities grouped and aggregated by
date. This also deprecates vulnerabilitiesCountByDayAndSeverity field
that was used before and replaces the usage of that in the application.

doc/api/graphql/reference/gitlab_schema.graphql

@@ -5926,7 +5926,43 @@ type Group {
   ): VulnerabilityConnection
 
   """
-  Number of vulnerabilities per severity level, per day, for the projects in the group and its subgroups
+  Number of vulnerabilities per day for the projects in the group and its subgroups
+  """
+  vulnerabilitiesCountByDay(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Last day for which to fetch vulnerability history
+    """
+    endDate: ISO8601Date!
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+
+    """
+    First day for which to fetch vulnerability history
+    """
+    startDate: ISO8601Date!
+  ): VulnerabilitiesCountByDayConnection
+
+  """
+  Number of vulnerabilities per severity level, per day, for the projects in the
+  group and its subgroups. Deprecated in 13.3: Use `vulnerabilitiesCountByDay`
   """
   vulnerabilitiesCountByDayAndSeverity(
     """
@@ -5958,7 +5994,7 @@ type Group {
     First day for which to fetch vulnerability history
     """
     startDate: ISO8601Date!
-  ): VulnerabilitiesCountByDayAndSeverityConnection
+  ): VulnerabilitiesCountByDayAndSeverityConnection @deprecated(reason: "Use `vulnerabilitiesCountByDay`. Deprecated in 13.3")
 
   """
   Represents vulnerable project counts for each grade
@@ -11552,7 +11588,44 @@ type Query {
   ): VulnerabilityConnection
 
   """
-  Number of vulnerabilities per severity level, per day, for the projects on the current user's instance security dashboard
+  Number of vulnerabilities per day for the projects on the current user's instance security dashboard
+  """
+  vulnerabilitiesCountByDay(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Last day for which to fetch vulnerability history
+    """
+    endDate: ISO8601Date!
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+
+    """
+    First day for which to fetch vulnerability history
+    """
+    startDate: ISO8601Date!
+  ): VulnerabilitiesCountByDayConnection
+
+  """
+  Number of vulnerabilities per severity level, per day, for the projects on the
+  current user's instance security dashboard. Deprecated in 13.3: Use
+  `vulnerabilitiesCountByDay`
   """
   vulnerabilitiesCountByDayAndSeverity(
     """
@@ -11584,7 +11657,7 @@ type Query {
     First day for which to fetch vulnerability history
     """
     startDate: ISO8601Date!
-  ): VulnerabilitiesCountByDayAndSeverityConnection
+  ): VulnerabilitiesCountByDayAndSeverityConnection @deprecated(reason: "Use `vulnerabilitiesCountByDay`. Deprecated in 13.3")
 }
 
 """
@@ -15460,6 +15533,51 @@ enum VisibilityScopesEnum {
   public
 }
 
+"""
+Represents the count of vulnerabilities by severity on a particular day
+"""
+type VulnerabilitiesCountByDay {
+  """
+  Total number of vulnerabilities on a particular day with critical severity
+  """
+  critical: Int!
+
+  """
+  Date for the count
+  """
+  date: ISO8601Date!
+
+  """
+  Total number of vulnerabilities on a particular day with high severity
+  """
+  high: Int!
+
+  """
+  Total number of vulnerabilities on a particular day with info severity
+  """
+  info: Int!
+
+  """
+  Total number of vulnerabilities on a particular day with low severity
+  """
+  low: Int!
+
+  """
+  Total number of vulnerabilities on a particular day with medium severity
+  """
+  medium: Int!
+
+  """
+  Total number of vulnerabilities on a particular day
+  """
+  total: Int!
+
+  """
+  Total number of vulnerabilities on a particular day with unknown severity
+  """
+  unknown: Int!
+}
+
 """
 Represents the number of vulnerabilities for a particular severity on a particular day
 """
@@ -15515,6 +15633,41 @@ type VulnerabilitiesCountByDayAndSeverityEdge {
   node: VulnerabilitiesCountByDayAndSeverity
 }
 
+"""
+The connection type for VulnerabilitiesCountByDay.
+"""
+type VulnerabilitiesCountByDayConnection {
+  """
+  A list of edges.
+  """
+  edges: [VulnerabilitiesCountByDayEdge]
+
+  """
+  A list of nodes.
+  """
+  nodes: [VulnerabilitiesCountByDay]
+
+  """
+  Information to aid in pagination.
+  """
+  pageInfo: PageInfo!
+}
+
+"""
+An edge in a connection.
+"""
+type VulnerabilitiesCountByDayEdge {
+  """
+  A cursor for use in pagination.
+  """
+  cursor: String!
+
+  """
+  The item at the end of the edge.
+  """
+  node: VulnerabilitiesCountByDay
+}
+
 """
 Represents a vulnerability.
 """

doc/api/graphql/reference/index.md

@@ -2294,6 +2294,21 @@ Autogenerated return type of UpdateSnippet
 | ---   |  ---- | ----------  |
 | `createSnippet` | Boolean! | Indicates the user can perform `create_snippet` on this resource |
 
+## VulnerabilitiesCountByDay
+
+Represents the count of vulnerabilities by severity on a particular day
+
+| Name  | Type  | Description |
+| ---   |  ---- | ----------  |
+| `critical` | Int! | Total number of vulnerabilities on a particular day with critical severity |
+| `date` | ISO8601Date! | Date for the count |
+| `high` | Int! | Total number of vulnerabilities on a particular day with high severity |
+| `info` | Int! | Total number of vulnerabilities on a particular day with info severity |
+| `low` | Int! | Total number of vulnerabilities on a particular day with low severity |
+| `medium` | Int! | Total number of vulnerabilities on a particular day with medium severity |
+| `total` | Int! | Total number of vulnerabilities on a particular day |
+| `unknown` | Int! | Total number of vulnerabilities on a particular day with unknown severity |
+
 ## VulnerabilitiesCountByDayAndSeverity
 
 Represents the number of vulnerabilities for a particular severity on a particular day

ee/app/assets/javascripts/security_dashboard/components/first_class_group_security_dashboard.vue

@@ -6,7 +6,7 @@ import Filters from 'ee/security_dashboard/components/first_class_vulnerability_
 import VulnerabilityChart from 'ee/security_dashboard/components/first_class_vulnerability_chart.vue';
 import CsvExportButton from './csv_export_button.vue';
 import VulnerabilitySeverity from './vulnerability_severity.vue';
-import vulnerabilityHistoryQuery from '../graphql/group_vulnerability_history.graphql';
+import vulnerabilityHistoryQuery from '../graphql/group_vulnerability_history.query.graphql';
 import DashboardNotConfigured from './empty_states/group_dashboard_not_configured.vue';
 
 export default {

ee/app/assets/javascripts/security_dashboard/components/first_class_instance_security_dashboard.vue

@@ -10,7 +10,7 @@ import Filters from 'ee/security_dashboard/components/first_class_vulnerability_
 import projectsQuery from 'ee/security_dashboard/graphql/get_instance_security_dashboard_projects.query.graphql';
 import ProjectManager from './first_class_project_manager/project_manager.vue';
 import CsvExportButton from './csv_export_button.vue';
-import vulnerabilityHistoryQuery from '../graphql/instance_vulnerability_history.graphql';
+import vulnerabilityHistoryQuery from '../graphql/instance_vulnerability_history.query.graphql';
 import DashboardNotConfigured from './empty_states/instance_dashboard_not_configured.vue';
 
 export default {

ee/app/assets/javascripts/security_dashboard/components/first_class_vulnerability_chart.vue

@@ -12,7 +12,6 @@ import { SEVERITY_LEVELS } from '../store/constants';
 
 const ISO_DATE = 'isoDate';
 const DAYS = { thirty: 30, sixty: 60, ninety: 90 };
-const MAX_DAY_INTERVAL_ALLOWED_BY_BACKEND = 10;
 
 export default {
   components: {
@@ -33,7 +32,6 @@ export default {
       vulnerabilitiesHistory: {},
       vulnerabilitiesHistoryDayRange: DAYS.thirty,
       errorLoadingVulnerabilitiesHistory: false,
-      currentStartDateCursor: undefined,
     };
   },
   days: Object.values(DAYS),
@@ -62,18 +60,13 @@ export default {
       variables() {
         return {
           fullPath: this.groupFullPath,
-          startDate: formatDate(new Date(this.startDateCursor), ISO_DATE),
+          startDate: formatDate(new Date(this.startDate), ISO_DATE),
           endDate: this.formattedEndDateCursor,
         };
       },
       update(results) {
         return this.processRawData(results);
       },
-      result() {
-        if (this.formattedEndDateCursor !== formatDate(new Date(), ISO_DATE)) {
-          this.currentStartDateCursor = this.endDateCursor;
-        }
-      },
       error() {
         this.errorLoadingVulnerabilitiesHistory = true;
       },
@@ -83,14 +76,8 @@ export default {
     startDate() {
       return Date.now() - DAY_IN_MS * this.vulnerabilitiesHistoryDayRange;
     },
-    startDateCursor() {
-      return this.currentStartDateCursor || this.startDate;
-    },
     endDateCursor() {
-      return Math.min(
-        this.startDateCursor + DAY_IN_MS * (MAX_DAY_INTERVAL_ALLOWED_BY_BACKEND - 1),
-        Date.now(),
-      );
+      return Date.now();
     },
     formattedEndDateCursor() {
       return formatDate(new Date(this.endDateCursor), ISO_DATE);
@@ -124,7 +111,7 @@ export default {
     },
   },
   watch: {
-    startDateCursor() {
+    startDate() {
       this.$apollo.queries.vulnerabilitiesHistory.refetch();
     },
   },
@@ -132,20 +119,22 @@ export default {
     setVulnerabilitiesHistoryDayRange(days) {
       this.vulnerabilitiesHistory = {};
       this.vulnerabilitiesHistoryDayRange = days;
-      this.currentStartDateCursor = undefined;
     },
     processRawData(results) {
-      let { vulnerabilitiesCountByDayAndSeverity } = results;
+      let { vulnerabilitiesCountByDay } = results;
 
       if (this.groupFullPath) {
-        vulnerabilitiesCountByDayAndSeverity = results.group.vulnerabilitiesCountByDayAndSeverity;
+        vulnerabilitiesCountByDay = results.group.vulnerabilitiesCountByDay;
       }
 
-      const vulnerabilitiesData = vulnerabilitiesCountByDayAndSeverity.nodes.reduce(
+      const vulnerabilitiesData = vulnerabilitiesCountByDay.nodes.reduce(
         (acc, v) => {
-          const severity = v.severity.toLowerCase();
-          acc[severity] = acc[severity] || {};
-          acc[severity][v.day] = v.count;
+          const { date, ...severities } = v;
+          Object.keys(severities).forEach(severity => {
+            acc[severity] = acc[severity] || {};
+            acc[severity][date] = v[severity];
+          }, {});
+
           return acc;
         },
         { ...this.vulnerabilitiesHistory },

ee/app/assets/javascripts/security_dashboard/graphql/group_vulnerability_history.graphql → ee/app/assets/javascripts/security_dashboard/graphql/group_vulnerability_history.query.graphql

 query groupVulnerabilityHistory($fullPath: ID!, $startDate: ISO8601Date!, $endDate: ISO8601Date!) {
   group(fullPath: $fullPath) {
-    vulnerabilitiesCountByDayAndSeverity(startDate: $startDate, endDate: $endDate) {
+    vulnerabilitiesCountByDay(startDate: $startDate, endDate: $endDate) {
       nodes {
-        day
-        count
-        severity
+        date
+        critical
+        high
+        medium
+        low
       }
     }
   }

ee/app/assets/javascripts/security_dashboard/graphql/instance_vulnerability_history.graphql → ee/app/assets/javascripts/security_dashboard/graphql/instance_vulnerability_history.query.graphql

 query instanceVulnerabilityHistory($startDate: ISO8601Date!, $endDate: ISO8601Date!) {
-  vulnerabilitiesCountByDayAndSeverity(startDate: $startDate, endDate: $endDate) {
+  vulnerabilitiesCountByDay(startDate: $startDate, endDate: $endDate) {
     nodes {
-      day
-      count
-      severity
+      date
+      critical
+      high
+      medium
+      low
     }
   }
 }

ee/app/graphql/ee/types/group_type.rb

@@ -42,11 +42,18 @@ module EE
               description: 'Vulnerability scanners reported on the project vulnerabilties of the group and its subgroups',
               resolver: ::Resolvers::Vulnerabilities::ScannersResolver
 
+        field :vulnerabilities_count_by_day,
+              ::Types::VulnerabilitiesCountByDayType.connection_type,
+              null: true,
+              description: 'Number of vulnerabilities per day for the projects in the group and its subgroups',
+              resolver: ::Resolvers::VulnerabilitiesCountPerDayResolver
+
         field :vulnerabilities_count_by_day_and_severity,
               ::Types::VulnerabilitiesCountByDayAndSeverityType.connection_type,
               null: true,
               description: 'Number of vulnerabilities per severity level, per day, for the projects in the group and its subgroups',
-              resolver: ::Resolvers::VulnerabilitiesHistoryResolver
+              resolver: ::Resolvers::VulnerabilitiesHistoryResolver,
+              deprecated: { reason: 'Use `vulnerabilitiesCountByDay`', milestone: '13.3' }
 
         field :vulnerability_grades,
               [::Types::VulnerableProjectsByGradeType],

ee/app/graphql/ee/types/query_type.rb

@@ -12,11 +12,18 @@ module EE
               description: "Vulnerabilities reported on projects on the current user's instance security dashboard",
               resolver: ::Resolvers::VulnerabilitiesResolver
 
+        field :vulnerabilities_count_by_day,
+              ::Types::VulnerabilitiesCountByDayType.connection_type,
+              null: true,
+              description: "Number of vulnerabilities per day for the projects on the current user's instance security dashboard",
+              resolver: ::Resolvers::VulnerabilitiesCountPerDayResolver
+
         field :vulnerabilities_count_by_day_and_severity,
               ::Types::VulnerabilitiesCountByDayAndSeverityType.connection_type,
               null: true,
               description: "Number of vulnerabilities per severity level, per day, for the projects on the current user's instance security dashboard",
-              resolver: ::Resolvers::VulnerabilitiesHistoryResolver
+              resolver: ::Resolvers::VulnerabilitiesHistoryResolver,
+              deprecated: { reason: 'Use `vulnerabilitiesCountByDay`', milestone: '13.3' }
 
         field :geo_node, ::Types::Geo::GeoNodeType,
               null: true,

ee/app/graphql/resolvers/vulnerabilities_count_per_day_resolver.rb

+# frozen_string_literal: true
+
+module Resolvers
+  class VulnerabilitiesCountPerDayResolver < VulnerabilitiesBaseResolver
+    type Types::VulnerabilitiesCountByDayType, null: true
+
+    argument :start_date, GraphQL::Types::ISO8601Date, required: true,
+              description: 'First day for which to fetch vulnerability history'
+
+    argument :end_date, GraphQL::Types::ISO8601Date, required: true,
+              description: 'Last day for which to fetch vulnerability history'
+
+    def resolve(**args)
+      return [] unless vulnerable
+
+      vulnerable
+        .vulnerability_historical_statistics
+        .grouped_by_date
+        .aggregated_by_date
+        .between_dates(args[:start_date], args[:end_date])
+        .index_by(&:date)
+        .then { |calendar_entries| generate_missing_dates(calendar_entries, args[:start_date], args[:end_date]) }
+    end
+
+    private
+
+    def generate_missing_dates(calendar_entries, start_date, end_date)
+      severities = ::Vulnerabilities::Finding::SEVERITY_LEVELS.keys
+      (start_date..end_date)
+        .each_with_object({}) { |date, result| result[date] = build_calendar_entry(date, calendar_entries[date], result[date - 1.day]) }
+        .values
+        .map { |calendar_entry| calendar_entry.attributes.slice('date', 'total', *severities) }
+    end
+
+    def build_calendar_entry(date, result_from_current_day, result_from_previous_day)
+      result_from_current_day || build_missing_calendar_entry(date, result_from_previous_day)
+    end
+
+    def build_missing_calendar_entry(date, result_from_previous_day)
+      ::Vulnerabilities::HistoricalStatistic.new(result_from_previous_day&.attributes.to_h.merge(date: date))
+    end
+  end
+end

ee/app/graphql/types/vulnerabilities_count_by_day_type.rb

+# frozen_string_literal: true
+
+module Types
+  # rubocop: disable Graphql/AuthorizeTypes
+  class VulnerabilitiesCountByDayType < BaseObject
+    graphql_name 'VulnerabilitiesCountByDay'
+    description 'Represents the count of vulnerabilities by severity on a particular day'
+
+    field :date, GraphQL::Types::ISO8601Date, null: false,
+          description: 'Date for the count'
+
+    field :total, GraphQL::INT_TYPE, null: false,
+          description: 'Total number of vulnerabilities on a particular day'
+
+    ::Vulnerabilities::Finding::SEVERITY_LEVELS.keys.each do |severity|
+      field severity.to_s, GraphQL::INT_TYPE, null: false,
+            description: "Total number of vulnerabilities on a particular day with #{severity} severity"
+    end
+  end
+end

ee/app/models/ee/group.rb

@@ -342,6 +342,11 @@ module EE
       )
     end
 
+    def vulnerability_historical_statistics
+      ::Vulnerabilities::HistoricalStatistic
+        .for_project(::Project.for_group_and_its_subgroups(self).non_archived.without_deleted)
+    end
+
     def max_personal_access_token_lifetime_from_now
       if max_personal_access_token_lifetime.present?
         max_personal_access_token_lifetime.days.from_now

ee/app/models/instance_security_dashboard.rb

@@ -38,6 +38,12 @@ class InstanceSecurityDashboard
     Vulnerabilities::Scanner.for_projects(projects)
   end
 
+  def vulnerability_historical_statistics
+    return Vulnerabilities::Scanner.none if projects.empty?
+
+    Vulnerabilities::HistoricalStatistic.for_project(projects)
+  end
+
   private
 
   attr_reader :project_ids, :user

ee/app/models/vulnerabilities/historical_statistic.rb

@@ -21,5 +21,18 @@ module Vulnerabilities
     enum letter_grade: Vulnerabilities::Statistic.letter_grades
 
     scope :older_than, ->(days:) { where('"vulnerability_historical_statistics"."date" < now() - interval ?', "#{days} days") }
+    scope :between_dates, -> (start_date, end_date) { where(arel_table[:date].between(start_date..end_date)) }
+    scope :for_project, -> (project) { where(project: project) }
+    scope :aggregated_by_date, -> do
+      select(
+        arel_table[:date],
+        arel_table[:total].sum.as('total'),
+        *Finding::SEVERITY_LEVELS.map { |severity, _| arel_table[severity].sum.as(severity.to_s) }
+      )
+    end
+    scope :grouped_by_date, -> (sort = :asc) do
+      group(:date)
+        .order(date: sort)
+    end
   end
 end

ee/changelogs/unreleased/217811-add-new-type-for-historical-statistics.yml

+---
+title: Add vulnerabilitiesCountByDay to Group and InstanceSecurityDashboard GraphQL
+  API
+merge_request: 38197
+author:
+type: added

ee/changelogs/unreleased/217811-deprecate-vulnerabilities-count-by-day-and-severity.yml

+---
+title: Deprecate vulnerabilitiesCountByDayAndSeverity on Group and InstanceSecurityDashboard GraphQL API
+merge_request: 38197
+author:
+type: deprecated

ee/spec/frontend/security_dashboard/components/first_class_vulnerability_chart_spec.js

@@ -7,11 +7,11 @@ describe('First class vulnerability chart component', () => {
   let wrapper;
 
   const responseData = {
-    vulnerabilitiesCountByDayAndSeverity: {
+    vulnerabilitiesCountByDay: {
       nodes: [
-        { day: '2020-05-18', count: 5, severity: 'MEDIUM' },
-        { day: '2020-05-19', count: 2, severity: 'MEDIUM' },
-        { day: '2020-05-18', count: 2, severity: 'CRITICAL' },
+        { date: '2020-05-18', medium: 5 },
+        { date: '2020-05-19', medium: 2 },
+        { date: '2020-05-18', critical: 2 },
       ],
     },
   };

ee/spec/graphql/resolvers/vulnerabilities_count_per_day_resolver_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::VulnerabilitiesCountPerDayResolver do
+  include GraphqlHelpers
+
+  subject(:ordered_history) { resolve(described_class, obj: group, args: args, ctx: { current_user: user }) }
+
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, namespace: group) }
+  let_it_be(:project_2) { create(:project, namespace: group) }
+  let_it_be(:user) { create(:user) }
+
+  describe '#resolve' do
+    let(:start_date) { Date.new(2019, 10, 15) }
+    let(:end_date) { Date.new(2019, 10, 21) }
+    let(:args) { { start_date: start_date, end_date: end_date } }
+
+    it 'fetches historical vulnerability data from the start date to the end date' do
+      Timecop.freeze(Date.new(2019, 10, 31)) do
+        create(:vulnerability_historical_statistic, date: start_date + 1.day, total: 2, critical: 1, high: 1, project: project)
+        create(:vulnerability_historical_statistic, date: start_date + 2.days, total: 3, critical: 2, high: 1, project: project)
+        create(:vulnerability_historical_statistic, date: start_date + 4.days, total: 1, critical: 1, high: 0, project: project_2)
+
+        expected_history = [
+          { 'total' => 0, 'critical' => 0, 'high' => 0, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date },
+          { 'total' => 2, 'critical' => 1, 'high' => 1, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date + 1.day },
+          { 'total' => 3, 'critical' => 2, 'high' => 1, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date + 2.days },
+          { 'total' => 3, 'critical' => 2, 'high' => 1, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date + 3.days },
+          { 'total' => 1, 'critical' => 1, 'high' => 0, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date + 4.days },
+          { 'total' => 1, 'critical' => 1, 'high' => 0, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => start_date + 5.days },
+          { 'total' => 1, 'critical' => 1, 'high' => 0, 'medium' => 0, 'low' => 0, 'unknown' => 0, 'info' => 0, 'date' => end_date }
+        ].as_json
+
+        expect(ordered_history.as_json).to match_array(expected_history)
+      end
+    end
+  end
+end

ee/spec/graphql/types/vulnerabilities_count_by_day_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['VulnerabilitiesCountByDay'] do
+  it { expect(described_class).to have_graphql_fields(:total, :date, :info, :unknown, :low, :medium, :high, :critical) }
+end

ee/spec/models/group_spec.rb

@@ -335,6 +335,24 @@ RSpec.describe Group do
     end
   end
 
+  describe '#vulnerability_historical_statistics' do
+    subject { group.vulnerability_historical_statistics }
+
+    let(:subgroup) { create(:group, parent: group) }
+    let(:group_project) { create(:project, namespace: group) }
+    let(:subgroup_project) { create(:project, namespace: subgroup) }
+    let(:archived_project) { create(:project, :archived, namespace: group) }
+    let(:deleted_project) { create(:project, pending_delete: true, namespace: group) }
+    let!(:group_vulnerability_historical_statistic) { create(:vulnerability_historical_statistic, project: group_project) }
+    let!(:subgroup_vulnerability_historical_statistic) { create(:vulnerability_historical_statistic, project: subgroup_project) }
+    let!(:archived_vulnerability_historical_statistic) { create(:vulnerability_historical_statistic, project: archived_project) }
+    let!(:deleted_vulnerability_historical_statistic) { create(:vulnerability_historical_statistic, project: deleted_project) }
+
+    it 'returns vulnerability scanners for all non-archived, non-deleted projects in the group and its subgroups' do
+      is_expected.to contain_exactly(group_vulnerability_historical_statistic, subgroup_vulnerability_historical_statistic)
+    end
+  end
+
   describe '#mark_ldap_sync_as_failed' do
     it 'sets the state to failed' do
       group.start_ldap_sync

ee/spec/models/instance_security_dashboard_spec.rb

@@ -138,6 +138,25 @@ RSpec.describe InstanceSecurityDashboard do
     end
   end
 
+  describe '#vulnerability_historical_statistics' do
+    let_it_be(:vulnerability_historical_statistic_1) { create(:vulnerability_historical_statistic, project: project1) }
+    let_it_be(:vulnerability_historical_statistic_2) { create(:vulnerability_historical_statistic, project: project2) }
+
+    context 'when the user cannot read all resources' do
+      it 'returns only vulnerability scanners from projects on their dashboard that they can read' do
+        expect(subject.vulnerability_historical_statistics).to contain_exactly(vulnerability_historical_statistic_1)
+      end
+    end
+
+    context 'when the user can read all resources' do
+      let(:user) { create(:auditor) }
+
+      it "returns vulnerability scanners from all projects on the user's dashboard" do
+        expect(subject.vulnerability_historical_statistics).to contain_exactly(vulnerability_historical_statistic_1, vulnerability_historical_statistic_2)
+      end
+    end
+  end
+
   describe '#full_path' do
     let(:user) { create(:user) }
 

ee/spec/models/vulnerabilities/historical_statistic_spec.rb

@@ -29,4 +29,70 @@ RSpec.describe Vulnerabilities::HistoricalStatistic do
 
     it { is_expected.to match_array([statistic_2, statistic_3]) }
   end
+
+  describe '.between_dates' do
+    let_it_be(:start_date) { Date.new(2020, 8, 11) }
+    let_it_be(:end_date) { Date.new(2020, 8, 13) }
+
+    let_it_be(:historical_statistic_1) { create(:vulnerability_historical_statistic, date: start_date - 1.day) }
+    let_it_be(:historical_statistic_2) { create(:vulnerability_historical_statistic, date: start_date) }
+    let_it_be(:historical_statistic_3) { create(:vulnerability_historical_statistic, date: start_date + 1.day) }
+    let_it_be(:historical_statistic_4) { create(:vulnerability_historical_statistic, date: end_date) }
+
+    subject { described_class.between_dates(start_date, end_date) }
+
+    it { is_expected.to match_array([historical_statistic_2, historical_statistic_3, historical_statistic_4]) }
+    it { is_expected.not_to include(historical_statistic_1) }
+  end
+
+  describe '.for_project' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:other_project) { create(:project) }
+    let_it_be(:historical_statistic_1) { create(:vulnerability_historical_statistic, project: project) }
+    let_it_be(:historical_statistic_2) { create(:vulnerability_historical_statistic, project: other_project) }
+
+    subject { described_class.for_project(project) }
+
+    it { is_expected.to match_array([historical_statistic_1]) }
+  end
+
+  describe '.grouped_by_date' do
+    subject { described_class.grouped_by_date(:asc).count }
+
+    let_it_be(:date_1) { Date.new(2020, 8, 10) }
+    let_it_be(:date_2) { Date.new(2020, 8, 11) }
+
+    let_it_be(:historical_statistic_1) { create(:vulnerability_historical_statistic, date: date_1) }
+    let_it_be(:historical_statistic_2) { create(:vulnerability_historical_statistic, date: date_1) }
+    let_it_be(:historical_statistic_3) { create(:vulnerability_historical_statistic, date: date_2) }
+
+    let(:expected_collection) do
+      {
+        Date.new(2020, 8, 10) => 2,
+        Date.new(2020, 8, 11) => 1
+      }
+    end
+
+    it { is_expected.to match_array(expected_collection) }
+  end
+
+  describe '.aggregated_by_date' do
+    let_it_be(:date_1) { Date.new(2020, 8, 10) }
+    let_it_be(:date_2) { Date.new(2020, 8, 11) }
+
+    let_it_be(:historical_statistic_1) { create(:vulnerability_historical_statistic, date: date_1, total: 21, info: 1, unknown: 2, low: 3, medium: 4, high: 5, critical: 6) }
+    let_it_be(:historical_statistic_2) { create(:vulnerability_historical_statistic, date: date_1, total: 21, info: 1, unknown: 2, low: 3, medium: 4, high: 5, critical: 6) }
+    let_it_be(:historical_statistic_3) { create(:vulnerability_historical_statistic, date: date_2, total: 57, info: 7, unknown: 8, low: 9, medium: 10, high: 11, critical: 12) }
+
+    subject { described_class.grouped_by_date(:asc).aggregated_by_date.as_json }
+
+    let(:expected_collection) do
+      [
+        { 'id' => nil, 'date' => '2020-08-10', 'info' => 2, 'unknown' => 4, 'low' => 6, 'medium' => 8, 'high' => 10, 'critical' => 12, 'total' => 42 },
+        { 'id' => nil, 'date' => '2020-08-11', 'info' => 7, 'unknown' => 8, 'low' => 9, 'medium' => 10, 'high' => 11, 'critical' => 12, 'total' => 57 }
+      ]
+    end
+
+    it { is_expected.to match_array(expected_collection) }
+  end
 end