Comments (9)
nscuro
commented on July 22, 2024
We log the response headers and body from Slack in DEBUG level. You can enable debug logging by passing the LOGGING_LEVEL=DEBUG environment variable.
Debug logs will be quite noisy, you can grep / filter for SlackPublisher to narrow it down to just the Slack-related stuff.
Knowing why they reject the notifications would be helpful to resolve the issue.
from dependency-track.
arunkumarr-3
commented on July 22, 2024
Hi @nscuro , Thanks for taking up this, I have done the above mentioned things and Now I got the following logs,
2024-05-24 09:08:02,260 WARN [SlackPublisher] Destination responded with with status code 400, likely indicating a processing failure (PublishContext{notificationGroup=POLICY_VIOLATION, notificationLevel=INFORMATIONAL, notificationScope=PORTFOLIO, notificationTimestamp=2024-05-24T09:07:52.426113846Z, notificationSubjects={component=Component[uuid=12284c58-bc90-4a25-b463-cfbd70ec0d40, group=null, name=wmi-lite, version=1.0.7], project=Project[uuid=116f05fb-5656-4cc5-bdb1-1557941e3b83, name=redacted, version=null]}, ruleName=test, ruleScope=PORTFOLIO, ruleLevel=INFORMATIONAL})
2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response headers: date: Fri, 24 May 2024 09:08:02 GMT
2024-05-24 09:08:02,260 DEBUG [SlackPublisher] Response body: invalid_blocks
Please let me know any additional information is required...
from dependency-track.
nscuro
commented on July 22, 2024
Thanks for checking. Sadly that doesn't really tell us what exactly is wrong. I think someone will need to manually debug under what conditions exactly this is happening.
from dependency-track.
arunkumarr-3
commented on July 22, 2024
I think there is a template issue, but i am not confident yet to tell, that, i have came through this issue #3170 which seems to similar to my problem, but even working with the updated template i faced same issue.
Hoping to get the solution to fix it :)
from dependency-track.
nscuro
commented on July 22, 2024
We have tests that assert the JSON we send to Slack, you can find it here:
from dependency-track.
arunkumarr-3
commented on July 22, 2024
Thanks, Based on this I will try to re create the template and check whether it will address my issue.
from dependency-track.
nscuro
commented on July 22, 2024
I did some manual testing with a bare-bones Dependency-Track installation, where nothing but the Slack alert is configured.
This is a Webhook that was rejected with invalid_blocks:
Invalid Payload
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "New Vulnerability"
}
},
{
"type": "context",
"elements": [
{
"text": "*INFORMATIONAL* | *PORTFOLIO*",
"type": "mrkdwn"
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]",
"type": "mrkdwn"
},
"fields": [
{
"type": "mrkdwn",
"text": "*VulnID*"
},
{
"type": "plain_text",
"text": "CVE-2022-29117"
},
{
"type": "mrkdwn",
"text": "*Severity*"
},
{
"type": "plain_text",
"text": "HIGH"
},
{
"type": "mrkdwn",
"text": "*Source*"
},
{
"type": "plain_text",
"text": "NVD"
},
{
"type": "mrkdwn",
"text": "*Component*"
},
{
"type": "plain_text",
"text": "pkg:nuget/[email protected]"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Vulnerability"
},
"action_id": "actionId-1",
"url": "/vulnerabilities/NVD/CVE-2022-29117"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Component"
},
"action_id": "actionId-2",
"url": "/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb"
}
]
}
]
}The JSON is valid, and according to Slack's documentation it's not using any unknown or otherwise invalid blocks.
However, notice how the url field at the bottom only has a path, not a full URL. The URLs are supposed to link back to your Dependency-Track instance. The base URL is configured in the settings:
After configuring the base URL (e.g. to http://localhost:8080), all notifications are sent successfully. It seems Slack is validating the URLs being sent.
For reference, this payload is accepted by Slack:
Valid Payload
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "New Vulnerability"
}
},
{
"type": "context",
"elements": [
{
"text": "*INFORMATIONAL* | *PORTFOLIO*",
"type": "mrkdwn"
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"text": "New Vulnerability Identified on Project: [pkg:oci/cyclonedx-bom-repo-server@sha256%3A49b7348cecf8a9145fbc885e5c78f6172b82ab810d98422ebc09a00bb109388f?arch=amd64\u0026repository_url=index.docker.io%2Fcyclonedx%2Fcyclonedx-bom-repo-server]",
"type": "mrkdwn"
},
"fields": [
{
"type": "mrkdwn",
"text": "*VulnID*"
},
{
"type": "plain_text",
"text": "CVE-2022-29117"
},
{
"type": "mrkdwn",
"text": "*Severity*"
},
{
"type": "plain_text",
"text": "HIGH"
},
{
"type": "mrkdwn",
"text": "*Source*"
},
{
"type": "plain_text",
"text": "NVD"
},
{
"type": "mrkdwn",
"text": "*Component*"
},
{
"type": "plain_text",
"text": "pkg:nuget/[email protected]"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Vulnerability"
},
"action_id": "actionId-1",
"url": "http://localhost:8080/vulnerabilities/NVD/CVE-2022-29117"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View Component"
},
"action_id": "actionId-2",
"url": "http://localhost:8080/components/a21c4a3f-26b2-472c-bb5d-09bc7a998fbb"
}
]
}
]
}from dependency-track.
arunkumarr-3
commented on July 22, 2024
Thanks very much its worked :)
from dependency-track.
github-actions
commented on July 22, 2024
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from dependency-track.
Related Issues (20)
- Populate Manufacturer field in downloaded SBOM's
- Switch to use authors instead of author
- Move from unsupported tools property to replacement
- Ubuntu 24.04 fails to start Dependency Track HOT 5
- Update the documentation around Docker Compose
- License Information gets lost after a new analysis HOT 1
- Ability to trigger the Policy Evaluation engine HOT 2
- Analyse arbitrary BOM-file HOT 1
- MS Teams is retiring webhooks - Power Automate workflows is the new black HOT 6
- Problem with importing new BOMs HOT 10
- Please consider adopting OpenSSF Scorecard
- Audit vulnerabilities not showing records of big projects HOT 3
- Adding new tags sporadically overwrites previous tags HOT 1
- Identify and classify unknown components
- Limit notifications to portfolio(s) instead of/alongside projects HOT 2
- Affected project in mail-notification doesn't show name HOT 3
- DT project-urls in notification mails for 'new vulnerable dependency' don't work HOT 1
- Configuring experimental BOM Processing V2 fails HOT 7
- Implement Graceful Handling of Maven Central HTTP 429
- Dependency graph of BOMs generated with Syft is incomplete due to missing root node HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.