Skip to content

Commit 7b817d7

Browse files
author
Glyn Normington
committed
Warn about sensitive information in logs
Add a new Security page and link to that from the README to attract people's attention. In the Security page, link to the logging section on sensitive information in logs. Also mention on the security page the need to keep any forks up to date. [#54989128]
1 parent a5da384 commit 7b817d7

3 files changed

Lines changed: 23 additions & 0 deletions

File tree

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ The buildpack supports configuration and extension through the use of Git reposi
1616
## Additional Documentation
1717
* [Design](docs/design.md)
1818
* [Migrating from the Previous Java Buildpack](docs/migration.md)
19+
* [Security](docs/security.md)
1920
* Standard Containers
2021
* [Groovy](docs/container-groovy.md) ([Configuration](docs/container-groovy.md#configuration))
2122
* [Java Main Class](docs/container-java-main.md) ([Configuration](docs/container-java-main.md#configuration))

docs/logging.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,15 @@ If the buildpack fails with an exception, the exception message is logged with a
88
log level of `ERROR` whereas the exception stack trace is logged with a log
99
level of `DEBUG` to prevent users from seeing stack traces by default.
1010

11+
## Sensitive Information in Logs
12+
13+
The Java buildpack logs sensitive information, such as environment variables which may contain security
14+
credentials.
15+
16+
_You should be careful not to expose this information
17+
inadvertently_, for example by posting standard error stream contents or the contents of
18+
`<app dir>/.buildpack-diagnostics/buildpack.log` to a public discussion list.
19+
1120
## Logger Usage
1221
The `LoggerFactory` class in the `JavaBuildpack::Diagnostics` module
1322
manages a single instance of a subclass of the standard Ruby `Logger`.

docs/security.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Security
2+
3+
In addition to security considerations associated with JREs, containers, and frameworks, the
4+
following points pertain to the security of the buildpack itself.
5+
6+
## Buildpack Forks
7+
8+
If you fork the Java buildpack, it is important to keep the fork up to date with the
9+
original repository. This will ensure that your fork runs with any security fixes that may be necessary.
10+
11+
## Security and Logs
12+
13+
See [Sensitive Information in Logs](logging.md#Sensitive-Information-in-Logs).

0 commit comments

Comments
 (0)