acbb0ff637
- Implemented shared trace ID generation utility for Risk and Vulnerability clients, ensuring consistent trace headers across API calls. - Updated RiskHttpClient and VulnerabilityHttpClient to utilize the new trace ID generation method. - Added validation for artifact metadata in PackRun endpoints, ensuring all artifacts include a digest and positive size. - Enhanced logging payloads in PackRun to include artifact digests and sizes. - Created a utility for generating trace IDs, preferring crypto.randomUUID when available, with a fallback to a ULID-style string. - Added unit tests to verify the presence of trace IDs in HTTP requests for VulnerabilityHttpClient. - Documented query-hash metrics for Vuln Explorer, detailing hashing rules and logging filters to ensure compliance with privacy standards. - Consolidated findings from late-November reviews into a comprehensive advisory for Scanner and SBOM/VEX areas, outlining remediation tracks and gaps.
1.0 KiB
1.0 KiB
Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)
Metrics to emit
vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}vuln_api_payload_bytes_bucket{direction="request|response"}
Hashing rules
- Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
- Salt: deployment-specific (e.g.,
Telemetry:QueryHashSalt), 32 bytes hex. - Store only hash; never log raw filters.
- Truncate any string field >128 chars before hashing to control cardinality.
Logging filter
- Drop fields named
email,userId,principalName; replace with[redacted]before metrics/logging. - Retain
tenant,route,status,durationMs,query_hash.
Prometheus exemplar tags (optional)
- Add
trace_idas exemplar if traces enabled; do not add request bodies.
Acceptance checks
- Unit test: hashed query string changes when salt changes; raw query not present in logs.
- Prometheus snapshot test: scrape and assert presence of
vuln_query_hashes_totaland payload histograms.