DAST: Conform to SECURE_LOG_LEVEL setting

• Summary
• Context
• Proposal

Summary

The accepted log controlling variable in devopsapplication security testing is SECURE_LOG_LEVEL. We have been requested by support to conform to this standard to reduce cognitive load.

Context

DAST has a more granular logging system than most analyzers, which includes separate configurable log levels per module and per destination (console or file). When increasing the log level (e.g. to "debug"), we generally advise doing it in the file log, to avoid overwhelming the job log. This will become the only option when we implement Human readable job console output; user-configurable log output will only go to the file log.

SECURE_LOG_LEVEL can be set to any supported log level, but is mostly set to debug in order to troubleshoot analyzer issues.

Proposal

1. When SECURE_LOG_LEVEL is set, treat it as the default log level for the file log, instead of the normal default Info
   • If DAST_LOG_FILE_CONFIG is set, it will be applied as normal to override the default or module levels
   • Although SECURE_LOG_LEVEL is not documented as supporting trace or panic, in DAST it will support trace and panic to be consistent with the rest of DAST logging config.
2. When SECURE_LOG_LEVEL is set to debug or trace, enable the auth report by default.
   • If DAST_AUTH_REPORT is set to false, it will override this setting.
   • Setting SECURE_LOG_LEVEL to debug is already documented as potentially exposing sensitive information.
3. When SECURE_LOG_LEVEL is set to trace, enable Chromium DevTools logging with the value Default:messageAndBody,truncate:2000.
   • If DAST_LOG_DEVTOOLS_CONFIG is set, it will override this setting.
4. Output a message at the end of the log with links to DAST troubleshooting docs and a reminder to check the log file and other assets for more information.