redpandaNo SQL queries (library crate, no DB layer). format! macros used for error messages only โ not in query construction. No Command::new or shell invocation found.
*.pem and *.key patterns. Current exclusions: target/, .env, .env.*, *.log. TLS cert files would not be excluded if accidentally added.WebhookConfig.headers: HashMap<String, String> stores arbitrary auth tokens (test at line 397 shows "Authorization": "Bearer token123"). Struct derives Serialize โ callers who log or serialize MonitoringConfig will expose tokens in plaintext.JSON-only. No XML parsing libraries in Cargo.toml or source.
tenantid is validated as non-empty in CloudEvent::validate(). Producer enforces event.validate() before emission. Tenant isolation is structurally enforced at the event layer. No RLS needed (no DB layer in library).ClientConfig sets only bootstrap.servers and message.timeout.ms. No security.protocol, sasl.mechanism, sasl.username, sasl.password, or ssl.* settings. Effective default is plaintext. No enforcement or guidance for callers to add TLS/SASL.ClientConfig for the consumer. No TLS/SASL configured.security.protocol โ cross-cluster replication would transmit all ODS events in cleartext.enable.auto.commit=true is hardcoded and not exposed via ConsumerConfig. This enforces at-most-once delivery: consumer crash after Kafka commits offset but before event processing silently drops the event. Audit-critical events (auth, billing) may be lost.enable.auto.commit=true hardcoded in replication consumer. Cross-cluster event replication is vulnerable to silent event loss on crash.Library crate โ no HTML rendering, templates, or browser-facing output.
serde_json::from_slice::<CloudEvent>(payload) deserializes raw Kafka message bytes with no prior size check. A malformed or deliberately oversized message could trigger excessive memory allocation before deserialization fails. No max_payload_bytes guard is configured.cargo-audit is not installed on this machine. Cannot verify known CVEs for: rdkafka 0.36, tokio 1.x, chrono 0.4, serde_json 1.x, uuid 1.x. Manual inspection shows no obviously insecure pinned versions, but automated verification is required before any release.tracing instrumentation. Alert generation, threshold evaluation, and webhook dispatch errors are not logged. No audit trail for alert actions.validate() failures are returned as errors but never logged. Failed event creation is invisible in production traces.tracing::error!. All error paths propagate as Result::Err without being recorded in telemetry. Errors in production will only be visible if callers log at error level โ no guarantee.Cannot scan for known CVEs in: rdkafka 0.36, tokio 1.x, chrono 0.4, serde_json 1.x, futures-util 0.3, thiserror 2.x, uuid 1.x, tracing 0.1. Install and run before release:
Note: WebhookConfig.headers is a runtime secret container โ flagged under A03. Not a static secret in source.
unsafe blocks found in production source.security_protocol, sasl_mechanism, sasl_username, sasl_password in ProducerConfig, ConsumerConfig, and replication config. Apply them in ClientConfig::new() when provided. Default to plaintext for dev only.
cargo install cargo-audit && cargo audit --deny warnings to the GitHub Actions workflow. Block merge on any advisory with severity โฅ high.
enable_auto_commit: bool in ConsumerConfig (default false for at-least-once). Document delivery guarantee semantics. Apply the same fix to the replication consumer.
serde_json::from_slice, check payload.len() <= MAX_PAYLOAD_BYTES (recommended: 1 MB). Return EventError::Consume and log a warning if exceeded.
#[serde(skip_serializing)] to WebhookConfig.headers, or implement a custom Debug that masks the values. Document that callers must not log the config object.
*.pem, *.key, *.crt, *.p12 to .gitignore as a precaution against accidental certificate commits.
alerting.rs, event.rs, and all consumer/producer error paths with tracing::error! so failures appear in production traces without requiring callers to handle logging.