[I] Debug print() Bypasses Structured Logging (tooling-trusted-releases)

Fri, 03 Apr 2026 15:17:18 -0700 


asf-tooling opened a new issue, #1130:
URL: https://github.com/apache/tooling-trusted-releases/issues/1130

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The file `atr/sbom/osv.py` at line 110 uses `print(vulns)` for debug output, 
bypassing the application's structured logging framework. This produces 
unstructured output that cannot be filtered, routed, or managed through the 
logging configuration, reducing log manageability and potentially exposing 
information through uncontrolled output channels.
   
   ### Details
   The use of `print()` statements in production code:
   - Bypasses logging level controls (cannot be disabled in production)
   - Outputs to stdout instead of configured log handlers
   - Produces unstructured text instead of structured log entries
   - Cannot be filtered or routed by logging infrastructure
   - May expose information in contexts where stdout is captured differently 
than logs
   
   **Affected file:** `atr/sbom/osv.py`, line 110
   
   This inconsistency with the application's structured logging approach 
reduces operational visibility and control.
   
   ### Recommended Remediation
   Replace the `print()` statement with structured logging:
   
   ```python
   log.debug("Loaded vulnerabilities from bundle", count=len(vulns))
   ```
   
   If detailed vulnerability information is needed for debugging, use:
   
   ```python
   log.debug("Loaded vulnerabilities from bundle", count=len(vulns), 
vulns=vulns)
   ```
   
   ### Acceptance Criteria
   - [ ] Replace `print(vulns)` with structured logging call
   - [ ] Verify log output includes vulnerability count
   - [ ] Confirm logging respects configured log levels
   - [ ] Search codebase for other `print()` statements and remediate
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:14.2.4.md
   - Related findings: None
   - ASVS sections: 14.2.4
   
   ### Priority
   Low
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to