search

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.62k stars 132 forks source link

SBOM API will show `information` logs when verbosity is set to be more restrictive #616

Open gustavoaca1997 opened 4 months ago

gustavoaca1997 commented 4 months ago

Even though we are setting the verbosity to values like Warning, Fatal or Error, we still see the information logs:

##[information]Finished execution of the Generate workflow SBOMTelemetry {Result=Success, Errors=ErrorContainer`1 {Count=0, Errors=[]}, Parameters=Configuration {BuildDropPath=ConfigurationSetting`1 {Value="bin\\debug\\net8.0\\", Source=SBOMApi, IsDefaultSource=False}, BuildComponentPath=ConfigurationSetting`1 {Value="C:\\Users\\gustavoca\\Repos\\github\\GenerateSbomTest\\GenerateSBOMTest", Source=SBOMApi, IsDefaultSource=False}, BuildListFile=null, ManifestPath=null, ManifestDirPath=ConfigurationSetting`1 {Value="bin\\debug\\net8.0\\_manifest", Source=Default, IsDefaultSource=True}, OutputPath=null, Parallelism=ConfigurationSetting`1 {Value=8, Source=SBOMApi, IsDefaultSource=False}, **Verbosity=ConfigurationSetting`1 {Value=Fatal**, Source=SBOMApi, IsDefaultSource=False}, ConfigFilePath=null, ManifestInfo=ConfigurationSetting`1 {Value=[ManifestInfo {Name="SPDX", Version="2.2"}], Source=SBOMApi, IsDefaultSource=False}, HashAlgorithm=null, RootPathFilter=null, CatalogFilePath=null, ValidateSignature=null, IgnoreMissing=null, ManifestToolAction=Generate, PackageName=ConfigurationSetting`1 {Value="GenerateSBOMTest", Source=SBOMApi, IsDefaultSource=False}, PackageVersion=ConfigurationSetting`1 {Value="1.0.0", Source=SBOMApi, IsDefaultSource=False}, PackageSupplier=ConfigurationSetting`1 {Value="Microsoft,Github", Source=SBOMApi, IsDefaultSource=False}, FilesList=null, PackagesList=null, TelemetryFilePath=null, DockerImagesToScan=null, ExternalDocumentReferenceListFile=null, AdditionalComponentDetectorArgs=null, NamespaceUriUniquePart=ConfigurationSetting`1 {Value=null, Source=SBOMApi, IsDefaultSource=False}, NamespaceUriBase=ConfigurationSetting`1 {Value="http://spdx.org/spdxdocs/GenerateSBOMTest", Source=SBOMApi, IsDefaultSource=False}, GenerationTimestamp=ConfigurationSetting`1 {Value=null, Source=SBOMApi, IsDefaultSource=False}, FollowSymlinks=ConfigurationSetting`1 {Value=True, Source=SBOMApi, IsDefaultSource=False}, DeleteManifestDirIfPresent=ConfigurationSetting`1 {Value=True, Source=SBOMApi, IsDefaultSource=False}, FailIfNoPackages=null, FetchLicenseInformation=null, EnablePackageMetadataParsing=null, SbomPath=null, SbomDir=null}, SBOMFormatsUsed=[SBOMFile {SbomFormatName=ManifestInfo {Name="SPDX", Version="2.2"}, SbomFilePath="bin\\debug\\net8.0\\_manifest\\spdx_2.2\\manifest.spdx.json", FileSizeInBytes=6037, TotalNumberOfPackages=2}], Timings=[Timing {EventName="Metadata build time for SPDX:2.2 format", TimeSpan="00:00:00.0059317"}, Timing {EventName="Relationships generation time", TimeSpan="00:00:00.0037158"}, Timing {EventName="External document reference generation time", TimeSpan="00:00:00.0034377"}, Timing {EventName="Packages generation time", TimeSpan="00:00:00.0363482"}, Timing {EventName="Files generation time", TimeSpan="00:00:00.4777338"}, Timing {EventName="Total generation time", TimeSpan="00:00:00.5764000"}], Switches={["DeleteManifestDirIfPresent"]=False}, Exceptions={}, APIExceptions={}, MetadataExceptions={}, TotalLicensesDetected=0, PackageDetailsEntries=0}
bstadick commented 11 hours ago

This issue is a major detriment for using the msbuild tasks as it prints a bunch of extra info and clutters the log and console. It also seems to print this messy table to the console, but that seems to be controlled separate from the logging level.

Image

The core of the issue seems to be with the Microsoft.Sbom.Extensions.DependencyInjection.ServiceCollectionExtensions.AddSbomTool() which takes in a Serilog LogEventLevel which by default is set to the information level. There is also the AddSbomConfiguration method but that doesn't seem to be used in the tools currently.

The two uses of the AddSbomTool method in Microsoft.Sbom.Targets.GenerateSbom and Microsoft.Sbom.Tool.Program do not pass a log level value to the method. So I can only guess that is the cause for the verbosity level on the command line or the msbuild task always being information level.

I'm not familiar enough with the use of IHost and this tool's architecture to come up with a solution, but just hard coding the log level to warning in the AddSbomTool calls at least stops printing the information level messages. This proves the likelihood that this is the cause of the underlying issue.

The table shown above is still being printed and I haven't been able to track down where that is being generated in the code.