stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: Enhance traceability and logging in Risk and Vulnerability clients

Browse Source 
- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls.
- Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method.
- Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size.
- Enhanced logging payloads in PackRun to include artifact digests and sizes.
- Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string.
- Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient.
- Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards.
- Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.
This commit is contained in:
StellaOps Bot
2025-12-02 19:24:26 +02:00
parent 76ecea482e
commit acbb0ff637
20 changed files with 186 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
ops/devops/vuln/query-hash-metrics.md Normal file
View File

@@ -0,0 +1,22 @@
# Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)
## Metrics to emit
- `vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}`
- `vuln_api_payload_bytes_bucket{direction="request|response"}`
## Hashing rules
- Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
- Salt: deployment-specific (e.g., `Telemetry:QueryHashSalt`), 32 bytes hex.
- Store only hash; never log raw filters.
- Truncate any string field >128 chars before hashing to control cardinality.
## Logging filter
- Drop fields named `email`, `userId`, `principalName`; replace with `[redacted]` before metrics/logging.
- Retain `tenant`, `route`, `status`, `durationMs`, `query_hash`.
## Prometheus exemplar tags (optional)
- Add `trace_id` as exemplar if traces enabled; do not add request bodies.
## Acceptance checks
- Unit test: hashed query string changes when salt changes; raw query not present in logs.
- Prometheus snapshot test: scrape and assert presence of `vuln_query_hashes_total` and payload histograms.