Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/SourceFlow.Cloud.AWS/Messaging/Commands/AwsSqsCommandDispatcherEnhanced.cs
Fixed
Show fixed
Hide fixed
src/SourceFlow.Cloud.AWS/Messaging/Commands/AwsSqsCommandListenerEnhanced.cs
Fixed
Show fixed
Hide fixed
src/SourceFlow.Cloud.AWS/Messaging/Events/AwsSnsEventDispatcherEnhanced.cs
Fixed
Show fixed
Hide fixed
src/SourceFlow.Cloud.AWS/Messaging/Events/AwsSnsEventListenerEnhanced.cs
Fixed
Show fixed
Hide fixed
| var masker = new SensitiveDataMasker(); | ||
| var masked = masker.Mask(testData); | ||
|
|
||
| _logger.LogInformation("Masked data: {MaskedData}", masked); |
Check warning
Code scanning / CodeQL
Exposure of private information Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 hour ago
In general, the safest way to address this class of issue is to avoid writing sensitive or potentially sensitive data to external locations (logs, files, etc.), even in masked form, unless strictly necessary. When logging is needed, it should be limited to metadata (for example, whether masking succeeded) rather than the actual masked content.
For this specific case, we do not need to log the masked string at all to validate functionality: the subsequent Assert.* statements already check that the masked string does not contain original secrets and does contain masking tokens. The minimal, non‑functional change is therefore to remove or neutralize the _logger.LogInformation("Masked data: {MaskedData}", masked); line. If some logging is still desired, we can log a generic message that masking completed, without including the masked variable. No changes are required in SensitiveDataMasker itself; it is only referenced by the test.
Concretely:
- In
tests/SourceFlow.Cloud.AWS.Tests/Integration/KmsSecurityAndPerformanceTests.cs, in theSensitiveDataMasking_WithCreditCardAttribute_ShouldMaskInLogstest, replace the line that logsmaskedwith a log line that does not embed the sensitive data (or remove it entirely). Everything else in this file and inSensitiveDataMasker.cscan remain unchanged for this alert.
| @@ -78,7 +78,8 @@ | ||
| var masker = new SensitiveDataMasker(); | ||
| var masked = masker.Mask(testData); | ||
|
|
||
| _logger.LogInformation("Masked data: {MaskedData}", masked); | ||
| // Do not log masked data content to avoid exposing sensitive information, even in masked form | ||
| _logger.LogInformation("Sensitive data masking completed for test payload."); | ||
|
|
||
| // Verify masked output doesn't contain full sensitive values | ||
| Assert.DoesNotContain("4532-1234-5678-9010", masked); |
| Assert.DoesNotContain("MyP@ssw0rd!", masked); | ||
| Assert.DoesNotContain("pk_live_abcdefghijklmnopqrstuvwxyz123456", masked); | ||
|
|
||
| _logger.LogInformation("Comprehensive masked data: {MaskedData}", masked); |
Check warning
Code scanning / CodeQL
Exposure of private information Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 hour ago
General approach: avoid writing potentially sensitive (or derived-from-sensitive) data to external sinks such as logs, especially in ways that might re-expose information if masking is incomplete. In this case, we can preserve the test’s behavior (assertions about masking) while omitting the actual masked payload from the log.
Best concrete fix: update the integration test so that it no longer logs the masked JSON string. Instead, log a generic success message that does not include the masked data as a structured argument. The assertions already validate that sensitive literals are not present, so logging the content is unnecessary.
Specific changes:
- File:
tests/SourceFlow.Cloud.AWS.Tests/Integration/KmsSecurityAndPerformanceTests.cs- In
SensitiveDataMasking_WithMultipleTypes_ShouldMaskAllCorrectly, replace the line:_logger.LogInformation("Comprehensive masked data: {MaskedData}", masked);
with something like:_logger.LogInformation("Comprehensive sensitive data masking test completed successfully.");
This keeps the log useful without sending the masked JSON to the logger sink.
- In
No changes are needed in SensitiveDataMasker itself to resolve this CodeQL alert, and no new imports or helpers are required.
| @@ -122,7 +122,7 @@ | ||
| Assert.DoesNotContain("MyP@ssw0rd!", masked); | ||
| Assert.DoesNotContain("pk_live_abcdefghijklmnopqrstuvwxyz123456", masked); | ||
|
|
||
| _logger.LogInformation("Comprehensive masked data: {MaskedData}", masked); | ||
| _logger.LogInformation("Comprehensive sensitive data masking test completed successfully."); | ||
| } | ||
|
|
||
| #endregion |
Major release with AWS cloud integration, CI/CD enhancements, and comprehensive testing improvements. ## AWS Cloud Integration - Add AWS SQS/SNS integration for distributed command and event processing - Implement LocalStack support for local AWS service emulation - Add comprehensive AWS integration tests with property-based testing - Fix LocalStack connectivity and authentication in CI environments - Add external LocalStack detection to prevent container conflicts ## CI/CD Improvements - Configure LocalStack as GitHub Actions service for integration tests - Add NuGet cache clearing to prevent stale package metadata issues - Exclude integration and security tests from CI (run unit tests only) - Add comprehensive GitHub Actions setup documentation - Fix GitVersion configuration for release branches - Update workflows with paths-ignore for documentation changes ## Testing Enhancements - Add LocalStack timeout and connectivity diagnostics - Implement property-based tests for AWS service equivalence - Add dead letter queue processing tests - Fix SQS queue attribute names and DLQ test timing - Add CI-optimized LocalStack configuration with extended timeouts ## Documentation - Add GitHub Actions setup guide with troubleshooting - Update cloud integration testing documentation - Add AWS cloud architecture documentation - Update README with new logo images ## Bug Fixes - Fix .NET Standard 2.1 compatibility with GlobalUsings.cs - Fix AWS client endpoint configuration for LocalStack - Fix IAM enforcement in LocalStack service container - Fix compilation errors in AwsTestConfiguration ## Breaking Changes - Cloud.Core functionality consolidated into main SourceFlow package (v2.0.0) - Namespace changes: SourceFlow.Cloud.Core.* → SourceFlow.Cloud.* Related specs: - .kiro/specs/v2-0-0-release-preparation/ - .kiro/specs/github-actions-localstack-timeout-fix/ - .kiro/specs/github-actions-ci-configuration-fix/
NinjaRocks
force-pushed
the
release/v2.0.0-aws
branch
from
abb7ad7 to
3db7487
Compare
- Release branches now generate pre-release packages with -beta suffix - Example: 2.0.0-beta.1 instead of 2.0.0 - Prevents accidental stable release publication from release branches - Final stable releases still triggered by 'release-packages' tag
1 participant
SourceFlow.Net v2.0.0 - Changelog
Release Date: TBC
Status: In Development
Note: This release includes AWS cloud integration support. Azure cloud integration will be available in a future release.
🎉 Major Changes
Cloud Core Consolidation
The
SourceFlow.Cloud.Coreproject has been consolidated into the main SourceFlow package. This architectural change simplifies the dependency structure and reduces the number of separate packages required for cloud integration.Benefits:
✨ New Features
Integrated Cloud Functionality
The following components are now part of the core
SourceFlowpackage:Configuration
BusConfiguration- Fluent API for routing configurationIBusBootstrapConfiguration- Bootstrapper integrationICommandRoutingConfiguration- Command routing abstractionIEventRoutingConfiguration- Event routing abstractionIIdempotencyService- Duplicate message detectionInMemoryIdempotencyService- Default implementationIdempotencyConfigurationBuilder- Fluent API for idempotency configurationResilience
ICircuitBreaker- Circuit breaker pattern interfaceCircuitBreaker- Implementation with state managementCircuitBreakerOptions- Configuration optionsCircuitBreakerOpenException- Exception for open circuitsCircuitBreakerStateChangedEventArgs- State transition eventsSecurity
IMessageEncryption- Message encryption abstractionSensitiveDataAttribute- Marks properties for encryptionSensitiveDataMasker- Automatic log maskingEncryptionOptions- Encryption configurationDead Letter Processing
IDeadLetterProcessor- Failed message handlingIDeadLetterStore- Failed message persistenceDeadLetterRecord- Failed message modelInMemoryDeadLetterStore- Default implementationObservability
CloudActivitySource- OpenTelemetry activity sourceCloudMetrics- Standard cloud metricsCloudTelemetry- Centralized telemetrySerialization
PolymorphicJsonConverter- Handles inheritance hierarchiesIdempotency Configuration Builder
New fluent API for configuring idempotency services:
Builder Methods:
UseEFIdempotency(connectionString, cleanupIntervalMinutes)- Entity Framework-based (requires SourceFlow.Stores.EntityFramework package)UseInMemory()- In-memory implementationUseCustom<TImplementation>()- Custom implementation by typeUseCustom(factory)- Custom implementation with factory functionEnhanced AWS Integration
AWS cloud extension now supports explicit idempotency configuration:
📚 Documentation Updates
New Documentation
Updated Documentation
🐛 Bug Fixes
🔧 Internal Changes
Project Structure
src/SourceFlow.Cloud.Core/intosrc/SourceFlow/Cloud/Build System
📦 Package Dependencies
SourceFlow v2.0.0
SourceFlow.Cloud.AWS v2.0.0
SourceFlow >= 2.0.0SourceFlow.Cloud.Coredependency🚀 Upgrade Path
For AWS Extension Users
If you're using the AWS cloud extension, no code changes are required. The consolidation is transparent to consumers of the cloud package.
📝 Notes
🔗 Related Documentation
Version: 2.0.0
Date: TBC
Status: In Development