|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (11 fixed, 16 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (12 fixed, 15 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -766,6 +766,17 @@
|
|
|
passwords or generic OIDC `client_secret` values, so password-spray
|
|
|
and OIDC misconfig errors leak via stdout logs.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed. Both call sites now route through
|
|
|
+ `App\Infrastructure\Logging\SafeTrace::format()`, which walks
|
|
|
+ `Throwable::getTrace()` (and the `getPrevious()` chain) and renders
|
|
|
+ one frame per line as `#N file(line): Class::method()` — the
|
|
|
+ `args` element is dropped entirely, so no scalar argument can ever
|
|
|
+ reach a log record regardless of the secret-scrubber's pattern
|
|
|
+ list. `JsonErrorHandler` and `JobRunner` no longer call
|
|
|
+ `getTraceAsString()`. Regression test in
|
|
|
+ `api/tests/Unit/Logging/SafeTraceTest.php` covers single-frame
|
|
|
+ arg suppression, `Caused by` chain walking, and the rendered frame
|
|
|
+ layout.
|
|
|
|
|
|
### F22 — `compose.scheduler.yml` runs `apk add` at every container start
|
|
|
- **File:** `compose.scheduler.yml:3-8`
|
chiappa