oscerd commented on PR #23503: URL: https://github.com/apache/camel/pull/23503#issuecomment-4533260671
Good catch — captured in `52d1a65353f`. Added the log-level posture in three coordinated spots so the rule has both an in-scope side and a not-in-scope side, and so the §4.13 triage dispositions have anchors to point at: - **`=== Security properties not provided`** (new bullet): "No production-grade information-hiding guarantees under non-default diagnostic log levels" — DEBUG / TRACE are diagnostic configurations expected to log internal `Exchange`, route and configuration detail; the framework commits to keeping the default INFO / WARN / ERROR levels clean of sensitive data; the project strives to avoid logging sensitive data even at diagnostic levels *where it makes sense* but does not commit to redacting it (your exact framing). - **`=== Known non-findings`** (new bullet): "`camel-FOO` logs the Exchange body, a header, or a configuration value at DEBUG or TRACE level" — not a finding by itself; routes to the in-scope class and the disclaimed property above. - **`==== Information disclosure of secrets or sensitive Exchange state`** (existing in-scope class, +5-line clarification): explicitly states the class is judged against the default production log levels, cross-referencing the new `=== Known non-findings` entry. Makes the boundary visible at the class itself rather than only at the §4.11a/§4.9 entries. Maps to disposition `BY-DESIGN: property-disclaimed` (via §4.9) and `KNOWN-NON-FINDING` (via §4.11a) for findings at DEBUG/TRACE; remains `VALID` (via the in-scope class) for findings at INFO/WARN/ERROR. _Claude Code (Opus 4.7) on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
