I have a Asp.Net Core 6.0 WebAPI app that uses entity framework core. The app uses Serilog framework
It is registered as
var logger = new LoggerConfiguration()
.MinimumLevel.Override("Microsoft", LogEventLevel.Information)
.Enrich.FromLogContext()
.Enrich.WithMachineName()
.Enrich.WithProperty("Assembly", typeof(Program).Assembly.GetName().Name)
.WriteTo.Console()
.CreateLogger();
builder.Logging.ClearProviders();
builder.Logging.AddSerilog(logger);
with the below configuration
"Serilog": {
"Using": [],
"MinimumLevel": {
"Default": "Information",
"Override": {
"Microsoft": "Debug",
"System": "Debug"
}
},
"WriteTo": [
{
"Name": "Async",
"Args": {
"configure": [
{
"Name": "Console",
"Args": {
"formatter": "Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact"
}
}
]
}
}
],
"Properties": {
"ApplicationName": "EFCoreRelationshipsTutorial"
}
}
It logs the details like
Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request starting HTTP/1.1 DELETE http://localhost:35847/Education/a65f7f0c-2a29-4da0-bd4b-d737320730c6 - -
Microsoft.AspNetCore.Cors.Infrastructure.CorsService: Information: CORS policy execution successful.
Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executing endpoint 'DemoApplication.Api.Controllers.EducationController.DeleteAsync (DemoApplication.Api)'
Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Information: Route matched with {action = "Delete", controller = "Education"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] DeleteAsync(System.Guid) on controller DemoApplication.Api.Controllers.EducationController (DemoApplication.Api).
Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Information: Executing action method DemoApplication.Api.Controllers.EducationController.DeleteAsync (DemoApplication.Api) - Validation state: Valid
DemoApplication.Application.Behaviors.LoggingBehavior: Information: ----- Handling command DeleteEducationCommand (DemoApplication.Application.Feature.Educations.Commands.DeleteEducation.DeleteEducationCommand)
DemoApplication.Application.Behaviors.ValidatorBehavior: Information: ----- Validating command DeleteEducationCommand
Microsoft.EntityFrameworkCore.Infrastructure: Information: Entity Framework Core 6.0.7 initialized 'TrackManagementContext' using provider 'Npgsql.EntityFrameworkCore.PostgreSQL:6.0.6+6fa8f3c27a7c241a66e72a6c09e0b252509215d0' with options: NoTracking
Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker: Information: Executed action DemoApplication.Api.Controllers.EducationController.DeleteAsync (DemoApplication.Api) in 496.7454ms
Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executed endpoint 'DemoApplication.Api.Controllers.EducationController.DeleteAsync (DemoApplication.Api)'
Exception thrown: 'DemoApplication.Application.Exceptions.NotFoundException' in System.Private.CoreLib.dll
Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished HTTP/1.1 DELETE http://localhost:35847/Education/a65f7f0c-2a29-4da0-bd4b-d737320730c6 - - - 404 - application/json 4634.2334ms
During the security scan using Checkmarx, it is reported that
The sensitive operation DeleteAsync is not properly logged and, therefore, important execution details may be omitted.
Should I ask the security team to suppress this issue? Or this is something that can be addressed at the application level?
Update:
public async Task<IActionResult> DeleteAsync(Guid id)
{
await this.mediator.Send(new DeleteProductCommand { Id = id }).ConfigureAwait(false);
return this.NoContent();
}
and it is handled like this
public async Task<Unit> Handle(DeleteProductCommand request, CancellationToken cancellationToken)
{
...
await this.productRepository.DeleteAsync(productToDelete).ConfigureAwait(false);
...
}