New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve logging for notification publishing #3211
Merged
nscuro
merged 9 commits into
DependencyTrack:master
from
nscuro:improve-notification-logging
Nov 21, 2023
Merged
Improve logging for notification publishing #3211
nscuro
merged 9 commits into
DependencyTrack:master
from
nscuro:improve-notification-logging
Nov 21, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nscuro
force-pushed
the
improve-notification-logging
branch
from
November 17, 2023 15:23
f0e6de6
to
3ef7fdf
Compare
1 task
Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Also add more debug logs for notification routing, and masking of destination URL for Slack. Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Webhook destination URLs contain secrets with high likelihood (e.g. Slack, Mattermost, MS Teams do). We could sanitize the URLs before logging them, but we cannot foresee all the various (and potentially custom) formats. So it's better to not log it at all. Given the applicable rule's name is logged, users can simply check the rule's configuration in case the destination URL is needed. Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
force-pushed
the
improve-notification-logging
branch
from
November 20, 2023 18:44
9d9fd29
to
1058fb3
Compare
Thanks, looks good from what I can see on source code level! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
It's hard to debug missing notifications, because Dependency-Track only logs something when an error occurred during notification publishing. Further, error logs currently do not contain any information about the notification or alert rule involved, making it harder to pinpoint where something is broken.
This PR adds more information to log messages emitted during publishing. This is done in form of
PublishContext
, which includes:NEW_VULNERABILITY
)INFORMATIONAL
)PORTFOLIO
)Example log message:
This is a backport from Hyades, which already has this functionality: https://github.com/DependencyTrack/hyades/blob/v0.2.0/notification-publisher/src/main/java/org/hyades/notification/publisher/PublishContext.java
Addressed Issue
https://owasp.slack.com/archives/C6R3R32H4/p1699978082979659
TODOs
Implement mechanism to mask sensitive parts of destination URLs (e.g. for Slack Webhook URLs)Additional Details
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have added corresponding update logicThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly