dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

SlackPublisher Error logs secret

Open msymons opened this issue 4 years ago • 0 comments

Current Behavior:

When Slack notifications exceed the allowed Rate Limit, the following is logged:

10:51:55.724 ERROR [SlackPublisher] An error was encountered publishing notification to Slack
10:51:55.725 ERROR [SlackPublisher] HTTP Status : 429 Too Many Requests
10:51:55.725 ERROR [SlackPublisher] Destination: https://hooks.slack.com/services/XXXXXXXXX/YYYYYYYYY/ZZZZZZZZZZZZZZZZZZZZZZZZ

That's not the actual URL. I obfuscated it. DT actually logs the full URL

From Slack Webhooks Documentation

Keep it secret, keep it safe. Your webhook URL contains a secret. Don't share it....

Logging = sharing! A lot of people in my company can view our DT logs.

Steps to Reproduce:

See #1159

Expected Behavior:

The logging should be tweaked so that the Slack Notification is uniquely identifiable... but not using the webhook URL.

Environment:

  • Dependency-Track Version: 4.3.1
  • Distribution: [ Docker ]
  • BOM Format & Version: CycloneDX 1.2
  • Database Server: [PostgreSQL ]
  • Browser: Firefox

Additional Details:

Logging this one separately to #1159 as I am hoping that it should be quick and easy to address.

msymons avatar Aug 21 '21 01:08 msymons