search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.46k stars 536 forks source link

Slack Notifications is not sent notifications except BOM Consumed and BOM Processed #3742

Closed arunkumarr-3 closed 1 month ago

arunkumarr-3 commented 1 month ago

Current Behavior

Hi,

I was trying to create a Slack Alert for Policy violations notification, Audit change and New Vulnerability Identified, but the dependency tracker not pushing any notifications, while analysing the logs, i have got the following.

Destination responded with with status code 400, likely indicating a processing failure (PublishContext{notificationGroup=POLICY_VIOLATION, notificationLevel=INFORMATIONAL, notificationScope=PORTFOLIO, notificationTimestamp=2024-05-21T17:09:23.602580544Z, notificationSubjects={component=Component[uuid=a3502af8-24df-4f8f-accc-4fdd49f3697a, group=null, name=redacted, version=redacted], project=Project[uuid=9c617a7a-fd4d-4132-90a6-bf14d30b7e47, name=redacted, version=null]}, ruleName=Violation, ruleScope=PORTFOLIO, ruleLevel=INFORMATIONAL})

The same log info is said for all other notifications except BOM Consumed and BOM Processed, for this both I can able to get the respective slack notifications

Dependency Tracker Version: v4.10.1 Setup: Docker container DB: AWS RDS, Aurora Postgres.

Steps to Reproduce

1.Create a policy violation 2.Configure slack web hook link in the slack alert 3.Create a Slack notification for the Policy violation

  1. Now feed the sbom to dependency tracker, you will get policy violations count in the project dashboard.
  2. Check the slack, you will not get the notification.

Expected Behavior

Need to get notified for the policy violations and new vulnerability identified through slack.

Dependency-Track Version

4.10.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

16.2

Browser

Google Chrome

Checklist

nscuro commented 1 month ago

We log the response headers and body from Slack in DEBUG level. You can enable debug logging by passing the LOGGING_LEVEL=DEBUG environment variable.

Debug logs will be quite noisy, you can grep / filter for SlackPublisher to narrow it down to just the Slack-related stuff.

Knowing why they reject the notifications would be helpful to resolve the issue.

arunkumarr-3 commented 1 month ago

Hi @nscuro , Thanks for taking up this, I have done the above mentioned things and Now I got the following logs,

2024-05-24 09:08:02,260 WARN [SlackPublisher] Destination responded with with status code 400, likely indicating a processing failure (PublishContext{notificationGroup=POLICY_VIOLATION, notificationLevel=INFORMATIONAL, notificationScope=PORTFOLIO, notificationTimestamp=2024-05-24T09:07:52.426113846Z, notificationSubjects={component=Component[uuid=12284c58-bc90-4a25-b463-cfbd70ec0d40, group=null, name=wmi-lite, version=1.0.7], project=Project[uuid=116f05fb-5656-4cc5-bdb1-1557941e3b83, name=redacted, version=null]}, ruleName=test, ruleScope=PORTFOLIO, ruleLevel=INFORMATIONAL})

2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response headers: date: Fri, 24 May 2024 09:08:02 GMT 2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response body: invalid_blocks

Please let me know any additional information is required...

nscuro commented 1 month ago

Thanks for checking. Sadly that doesn't really tell us what exactly is wrong. I think someone will need to manually debug under what conditions exactly this is happening.

arunkumarr-3 commented 1 month ago

I think there is a template issue, but i am not confident yet to tell, that, i have came through this issue https://github.com/DependencyTrack/dependency-track/issues/3170 which seems to similar to my problem, but even working with the updated template i faced same issue.

Hoping to get the solution to fix it :)

nscuro commented 1 month ago

We have tests that assert the JSON we send to Slack, you can find it here:

https://github.com/DependencyTrack/dependency-track/blob/master/src/test/java/org/dependencytrack/notification/publisher/SlackPublisherTest.java

arunkumarr-3 commented 1 month ago

Thanks, Based on this I will try to re create the template and check whether it will address my issue.

nscuro commented 1 month ago

I did some manual testing with a bare-bones Dependency-Track installation, where nothing but the Slack alert is configured.

This is a Webhook that was rejected with invalid_blocks:

Invalid Payload ```json { "blocks": [ { "type": "header", "text": { "type": "plain_text", "text": "New Vulnerability" } }, { "type": "context", "elements": [ { "text": "*INFORMATIONAL* | *PORTFOLIO*", "type": "mrkdwn" } ] }, { "type": "divider" }, { "type": "section", "text": { "text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]", "type": "mrkdwn" }, "fields": [ { "type": "mrkdwn", "text": "*VulnID*" }, { "type": "plain_text", "text": "CVE-2022-29117" }, { "type": "mrkdwn", "text": "*Severity*" }, { "type": "plain_text", "text": "HIGH" }, { "type": "mrkdwn", "text": "*Source*" }, { "type": "plain_text", "text": "NVD" }, { "type": "mrkdwn", "text": "*Component*" }, { "type": "plain_text", "text": "pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64@5.0.7" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Vulnerability" }, "action_id": "actionId-1", "url": "/vulnerabilities/NVD/CVE-2022-29117" }, { "type": "button", "text": { "type": "plain_text", "text": "View Component" }, "action_id": "actionId-2", "url": "/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb" } ] } ] } ```

The JSON is valid, and according to Slack's documentation it's not using any unknown or otherwise invalid blocks.

However, notice how the url field at the bottom only has a path, not a full URL. The URLs are supposed to link back to your Dependency-Track instance. The base URL is configured in the settings:

image

After configuring the base URL (e.g. to http://localhost:8080), all notifications are sent successfully. It seems Slack is validating the URLs being sent.

For reference, this payload is accepted by Slack:

Valid Payload ```json { "blocks": [ { "type": "header", "text": { "type": "plain_text", "text": "New Vulnerability" } }, { "type": "context", "elements": [ { "text": "*INFORMATIONAL* | *PORTFOLIO*", "type": "mrkdwn" } ] }, { "type": "divider" }, { "type": "section", "text": { "text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]", "type": "mrkdwn" }, "fields": [ { "type": "mrkdwn", "text": "*VulnID*" }, { "type": "plain_text", "text": "CVE-2022-29117" }, { "type": "mrkdwn", "text": "*Severity*" }, { "type": "plain_text", "text": "HIGH" }, { "type": "mrkdwn", "text": "*Source*" }, { "type": "plain_text", "text": "NVD" }, { "type": "mrkdwn", "text": "*Component*" }, { "type": "plain_text", "text": "pkg:nuget/Microsoft.AspNetCore.App.Runtime.linux-x64@5.0.7" } ] }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Vulnerability" }, "action_id": "actionId-1", "url": "http://localhost:8080/vulnerabilities/NVD/CVE-2022-29117" }, { "type": "button", "text": { "type": "plain_text", "text": "View Component" }, "action_id": "actionId-2", "url": "http://localhost:8080/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb" } ] } ] } ```
arunkumarr-3 commented 1 month ago

Thanks very much its worked :)

github-actions[bot] commented 2 weeks ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.