DependencyTrack
Slack Notifications is not sent notifications except BOM Consumed and BOM Processed
Current Behavior
Hi,
I was trying to create a Slack Alert for Policy violations notification, Audit change and New Vulnerability Identified, but the dependency tracker not pushing any notifications, while analysing the logs, i have got the following.
Destination responded with with status code 400, likely indicating a processing failure (PublishContext{notificationGroup=POLICY_VIOLATION, notificationLevel=INFORMATIONAL, notificationScope=PORTFOLIO, notificationTimestamp=2024-05-21T17:09:23.602580544Z, notificationSubjects={component=Component[uuid=a3502af8-24df-4f8f-accc-4fdd49f3697a, group=null, name=redacted, version=redacted], project=Project[uuid=9c617a7a-fd4d-4132-90a6-bf14d30b7e47, name=redacted, version=null]}, ruleName=Violation, ruleScope=PORTFOLIO, ruleLevel=INFORMATIONAL})
The same log info is said for all other notifications except BOM Consumed and BOM Processed, for this both I can able to get the respective slack notifications
Dependency Tracker Version: v4.10.1 Setup: Docker container DB: AWS RDS, Aurora Postgres.
Steps to Reproduce
1.Create a policy violation 2.Configure slack web hook link in the slack alert 3.Create a Slack notification for the Policy violation 4. Now feed the sbom to dependency tracker, you will get policy violations count in the project dashboard. 5. Check the slack, you will not get the notification.
Expected Behavior
Need to get notified for the policy violations and new vulnerability identified through slack.
Dependency-Track Version
4.10.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
16.2
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
We log the response headers and body from Slack in DEBUG level. You can enable debug logging by passing the LOGGING_LEVEL=DEBUG environment variable.
Debug logs will be quite noisy, you can grep / filter for SlackPublisher to narrow it down to just the Slack-related stuff.
Knowing why they reject the notifications would be helpful to resolve the issue.
Hi @nscuro , Thanks for taking up this, I have done the above mentioned things and Now I got the following logs,
2024-05-24 09:08:02,260 WARN [SlackPublisher] Destination responded with with status code 400, likely indicating a processing failure (PublishContext{notificationGroup=POLICY_VIOLATION, notificationLevel=INFORMATIONAL, notificationScope=PORTFOLIO, notificationTimestamp=2024-05-24T09:07:52.426113846Z, notificationSubjects={component=Component[uuid=12284c58-bc90-4a25-b463-cfbd70ec0d40, group=null, name=wmi-lite, version=1.0.7], project=Project[uuid=116f05fb-5656-4cc5-bdb1-1557941e3b83, name=redacted, version=null]}, ruleName=test, ruleScope=PORTFOLIO, ruleLevel=INFORMATIONAL})
2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response headers: date: Fri, 24 May 2024 09:08:02 GMT 2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response body: invalid_blocks
Please let me know any additional information is required...
Thanks for checking. Sadly that doesn't really tell us what exactly is wrong. I think someone will need to manually debug under what conditions exactly this is happening.
I think there is a template issue, but i am not confident yet to tell, that, i have came through this issue https://github.com/DependencyTrack/dependency-track/issues/3170 which seems to similar to my problem, but even working with the updated template i faced same issue.
Hoping to get the solution to fix it :)
We have tests that assert the JSON we send to Slack, you can find it here:
https://github.com/DependencyTrack/dependency-track/blob/master/src/test/java/org/dependencytrack/notification/publisher/SlackPublisherTest.java
Thanks, Based on this I will try to re create the template and check whether it will address my issue.
I did some manual testing with a bare-bones Dependency-Track installation, where nothing but the Slack alert is configured.
This is a Webhook that was rejected with invalid_blocks:
Invalid Payload
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "New Vulnerability"
}
},
{
"type": "context",
"elements": [
{
"text": "*INFORMATIONAL* | *PORTFOLIO*",
"type": "mrkdwn"
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]",
"type": "mrkdwn"
},
"fields": [
{
"type": "mrkdwn",
"text": "*VulnID*"
},
{
"type": "plain_text",
"text": "CVE-2022-29117"
},
{
"type": "mrkdwn",
"text": "*Severity*"
},
{
"type": "plain_text",
"text": "HIGH"
},
{
"type": "mrkdwn",
"text": "*Source*"
},
{
"type": "plain_text",
"text": "NVD"
},
{
"type": "mrkdwn",
"text": "*Component*"
},
{
"type": "plain_text",
"text": "pkg:nuget/[email protected]"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Vulnerability"
},
"action_id": "actionId-1",
"url": "/vulnerabilities/NVD/CVE-2022-29117"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Component"
},
"action_id": "actionId-2",
"url": "/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb"
}
]
}
]
}
The JSON is valid, and according to Slack's documentation it's not using any unknown or otherwise invalid blocks.
However, notice how the url field at the bottom only has a path, not a full URL. The URLs are supposed to link back to your Dependency-Track instance. The base URL is configured in the settings:
After configuring the base URL (e.g. to http://localhost:8080), all notifications are sent successfully. It seems Slack is validating the URLs being sent.
For reference, this payload is accepted by Slack:
Valid Payload
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "New Vulnerability"
}
},
{
"type": "context",
"elements": [
{
"text": "*INFORMATIONAL* | *PORTFOLIO*",
"type": "mrkdwn"
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]",
"type": "mrkdwn"
},
"fields": [
{
"type": "mrkdwn",
"text": "*VulnID*"
},
{
"type": "plain_text",
"text": "CVE-2022-29117"
},
{
"type": "mrkdwn",
"text": "*Severity*"
},
{
"type": "plain_text",
"text": "HIGH"
},
{
"type": "mrkdwn",
"text": "*Source*"
},
{
"type": "plain_text",
"text": "NVD"
},
{
"type": "mrkdwn",
"text": "*Component*"
},
{
"type": "plain_text",
"text": "pkg:nuget/[email protected]"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Vulnerability"
},
"action_id": "actionId-1",
"url": "http://localhost:8080/vulnerabilities/NVD/CVE-2022-29117"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Component"
},
"action_id": "actionId-2",
"url": "http://localhost:8080/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb"
}
]
}
]
}
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}