carverauto/serviceradar

Fork 0

fixing zen pipeline #2824

Merged

mfreeman451 merged 5 commits from refs/pull/2824/head into staging

2026-02-01 08:14:33 +00:00

mfreeman451 commented

2026-02-01 06:26:11 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2656
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2656
Original created: 2026-02-01T06:26:11Z
Original updated: 2026-02-01T08:14:41Z
Original head: carverauto/serviceradar:bug/netflow-zen-rules
Original base: staging
Original merged: 2026-02-01T08:14:33Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Bug fix

Description

Add NetFlow Zen rule bootstrap with retry logic for deployment tooling
Implement multi-subject stream support in NetFlow collector configuration
Migrate NetFlow stream from dedicated 'flows' to shared 'events' stream
Create netflow_to_ocsf transformation rule for OCSF compliance
Add db-event-writer mapping for processed NetFlow events to database

Diagram Walkthrough

flowchart LR
  A["NetFlow Collector"] -->|publishes to| B["events stream<br/>flows.raw.netflow"]
  B -->|processed by| C["Zen Consumer<br/>netflow_to_ocsf rule"]
  C -->|outputs to| D["events stream<br/>flows.raw.netflow.processed"]
  D -->|consumed by| E["DB Event Writer<br/>ocsf_network_activity table"]
  F["Bootstrap Job<br/>zen-put-rule"] -->|seeds rule| C

File Walkthrough

Relevant files

Enhancement

8 files

config.rs `Add stream_subjects configuration field`	+15/-0
publisher.rs `Implement multi-subject stream management logic`	+35/-11
netflow_to_ocsf.json `Create NetFlow to OCSF transformation rule`	+130/-0
zen-install-rules.sh `Add retry logic for rule installation`	+29/-7
zen-rules-bootstrap-job.yaml `Create Helm bootstrap job with retry logic`	+31/-11
zen-rules.yaml `Add NetFlow to OCSF transformation rule`	+131/-0
serviceradar-zen-rules-bootstrap.yaml `Create Kubernetes bootstrap job for rules`	+138/-0
serviceradar-zen-rules.yaml `Add NetFlow to OCSF transformation rule`	+131/-0

Configuration changes

18 files

zen.docker.json `Add NetFlow subject and decision group`	+9/-1
BUILD.bazel `Package NetFlow rule with Zen image`	+1/-0
db-event-writer.mtls.json `Map processed NetFlow to database table`	+1/-0
serviceradar-config.yaml `Add NetFlow Zen rule and decision group`	+9/-1
db-event-writer-config.yaml `Map processed NetFlow to database table`	+1/-0
values.yaml `Update NetFlow collector stream configuration`	+4/-1
configmap.yaml `Add NetFlow subject to Zen consumer`	+10/-1
kustomization.yaml `Include bootstrap job in Kubernetes manifests`	+1/-0
serviceradar-db-event-writer-config.yaml `Map processed NetFlow to database table`	+4/-0
serviceradar-netflow-collector.yaml `Update NetFlow collector stream configuration`	+5/-1
packages.bzl `Package NetFlow rule with Zen artifacts`	+5/-0
components.json `Add NetFlow rule to package configuration`	+5/-0
db-event-writer.json `Map processed NetFlow to database table`	+4/-0
netflow-collector.json `Update NetFlow collector stream configuration`	+5/-1
BUILD.bazel `Export NetFlow rule file for packaging`	+4/-1
netflow-collector.json `Update NetFlow collector stream configuration`	+5/-1
netflow-collector-test.json `Update test configuration for new stream`	+5/-1
zen-consumer-flows-test.json `Update test configuration stream name`	+1/-1

Tests

1 files

quick-test.sh
Update test script stream name reference +1/-1

Documentation

7 files

TESTING.md `Update testing documentation stream references`	+3/-3
netflow.md `Document stream_subjects configuration parameter`	+13/-5
troubleshooting-guide.md `Update troubleshooting stream name references`	+3/-3
proposal.md `Document NetFlow rule bootstrap change proposal`	+17/-0
spec.md `Define Docker Compose bootstrap requirements`	+11/-0
spec.md `Define rule bootstrap specification requirements`	+26/-0
tasks.md `Document implementation tasks for bootstrap`	+8/-0

Additional files

1 files

netflow_to_ocsf.json

[link]

Imported from GitHub pull request. Original GitHub pull request: #2656 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2656 Original created: 2026-02-01T06:26:11Z Original updated: 2026-02-01T08:14:41Z Original head: carverauto/serviceradar:bug/netflow-zen-rules Original base: staging Original merged: 2026-02-01T08:14:33Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Bug fix ___ ### **Description** - Add NetFlow Zen rule bootstrap with retry logic for deployment tooling - Implement multi-subject stream support in NetFlow collector configuration - Migrate NetFlow stream from dedicated 'flows' to shared 'events' stream - Create netflow_to_ocsf transformation rule for OCSF compliance - Add db-event-writer mapping for processed NetFlow events to database ___ ### Diagram Walkthrough ```mermaid flowchart LR A["NetFlow Collector"] -->|publishes to| B["events stream flows.raw.netflow"] B -->|processed by| C["Zen Consumer netflow_to_ocsf rule"] C -->|outputs to| D["events stream flows.raw.netflow.processed"] D -->|consumed by| E["DB Event Writer ocsf_network_activity table"] F["Bootstrap Job zen-put-rule"] -->|seeds rule| C ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><details><summary>8 files</summary><table> <tr> <td>config.rs<dd><code>Add stream_subjects configuration field</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-ea8fb7fc6e55836ada19b9c1ca26f2a88575289a3fee3005183916a8454d0fc9">+15/-0</a>    </td> </tr> <tr> <td>publisher.rs<dd><code>Implement multi-subject stream management logic</code>                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-10dec5866b4bc416c62590bdf2d3ded6c234b8d423ec4aebc70eac891ff0c07d">+35/-11</a>  </td> </tr> <tr> <td>netflow_to_ocsf.json<dd><code>Create NetFlow to OCSF transformation rule</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-1de8bfcc6c483d7eebbf49223ced7377d1647d5ac71069b4ef49c705caa164e3">+130/-0</a>  </td> </tr> <tr> <td>zen-install-rules.sh<dd><code>Add retry logic for rule installation</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-74122772ee2960d407d0a0e24ac0cc9d970167ba0f51913e7edf29e092188003">+29/-7</a>    </td> </tr> <tr> <td>zen-rules-bootstrap-job.yaml<dd><code>Create Helm bootstrap job with retry logic</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-1eace8b963d2ecd5105de74dab5a28d329243800e2b5c005328f54939128a2d3">+31/-11</a>  </td> </tr> <tr> <td>zen-rules.yaml<dd><code>Add NetFlow to OCSF transformation rule</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-0d964a44baa33494d42d5a7eb36eb7a8f7fb928da111a4f85e6b721874c28ac9">+131/-0</a>  </td> </tr> <tr> <td>serviceradar-zen-rules-bootstrap.yaml<dd><code>Create Kubernetes bootstrap job for rules</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-770416d77582af1976dfea996c5cf61015ad2a1ff6add8787473e032f1a98d36">+138/-0</a>  </td> </tr> <tr> <td>serviceradar-zen-rules.yaml<dd><code>Add NetFlow to OCSF transformation rule</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-68ac3ec024077fba26aed84721356fac5cc71e68f05e311c6ba7cd050dc5a485">+131/-0</a>  </td> </tr> </table></details></td></tr><tr><td>Configuration changes</td><td><details><summary>18 files</summary><table> <tr> <td>zen.docker.json<dd><code>Add NetFlow subject and decision group</code>                                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-e060a3164cdc2746e0d9ad000fcf43c4bcdb05f4a41c586d7220e2ff2a7df01d">+9/-1</a>      </td> </tr> <tr> <td>BUILD.bazel<dd><code>Package NetFlow rule with Zen image</code>                                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80">+1/-0</a>      </td> </tr> <tr> <td>db-event-writer.mtls.json<dd><code>Map processed NetFlow to database table</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-7a33f95f7545499abf0ed9fc91b58499ab209639e4885019579c959583fc7496">+1/-0</a>      </td> </tr> <tr> <td>serviceradar-config.yaml<dd><code>Add NetFlow Zen rule and decision group</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-b8c8d2484103b11c396bc60d290c81df63c30a0f81103eceb5852a17e1d2b5e3">+9/-1</a>      </td> </tr> <tr> <td>db-event-writer-config.yaml<dd><code>Map processed NetFlow to database table</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-4cce0ab31bec3428ffae6701d20ca14b0f27a1e8a810ba1c7388e5c7860c3254">+1/-0</a>      </td> </tr> <tr> <td>values.yaml<dd><code>Update NetFlow collector stream configuration</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-d4449c7cb70362554b274f81eae5a4b81a8e81df494282e383d1b7ea3871c452">+4/-1</a>      </td> </tr> <tr> <td>configmap.yaml<dd><code>Add NetFlow subject to Zen consumer</code>                                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-f4548beaa0a3a01a46971c82c5647a0f3f49eb38d66dd939d06d19018173fcd6">+10/-1</a>    </td> </tr> <tr> <td>kustomization.yaml<dd><code>Include bootstrap job in Kubernetes manifests</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-c4260176971b950ef1b967a2631b446225071906172f56287c465ad2e29788d9">+1/-0</a>      </td> </tr> <tr> <td>serviceradar-db-event-writer-config.yaml<dd><code>Map processed NetFlow to database table</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-57ddd4cb03c5c669ff6dc5b3b60334e9205d01ae95a2b5316c147ed2114ebe49">+4/-0</a>      </td> </tr> <tr> <td>serviceradar-netflow-collector.yaml<dd><code>Update NetFlow collector stream configuration</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-c29757a23e5f4021c9cd4d6d35a261edf9b56c706188bb24855fafa84454b797">+5/-1</a>      </td> </tr> <tr> <td>packages.bzl<dd><code>Package NetFlow rule with Zen artifacts</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-9bfe2a5141a9e402bb5a5a8fca53b9eea64396ec18108c535392e1054c90b913">+5/-0</a>      </td> </tr> <tr> <td>components.json<dd><code>Add NetFlow rule to package configuration</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-3ae5949d89b0252d10fce9bf950231c8151a73b2154dccfe4e7261acc116582c">+5/-0</a>      </td> </tr> <tr> <td>db-event-writer.json<dd><code>Map processed NetFlow to database table</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-cfc1471409ee6c7ecb54740385292b9cdb893cfa06e2e68cfa113f3e04b93d28">+4/-0</a>      </td> </tr> <tr> <td>netflow-collector.json<dd><code>Update NetFlow collector stream configuration</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-f69f967d5a0aa98e0a1167dc137203c6433bf734daeb112956bc4c11aa4dd67e">+5/-1</a>      </td> </tr> <tr> <td>BUILD.bazel<dd><code>Export NetFlow rule file for packaging</code>                                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-80b388c41f56d8eb42f0a08f4475a95a06f4a610f79f2579e7656167bb1ae538">+4/-1</a>      </td> </tr> <tr> <td>netflow-collector.json<dd><code>Update NetFlow collector stream configuration</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-11279498c772a86f80c6e32c2d357b896337db740a27fe65b2393a00e28d6f17">+5/-1</a>      </td> </tr> <tr> <td>netflow-collector-test.json<dd><code>Update test configuration for new stream</code>                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-938af48a34400ecdbd476d7589d28af0cb991e4c297587186917e3d8d931a955">+5/-1</a>      </td> </tr> <tr> <td>zen-consumer-flows-test.json<dd><code>Update test configuration stream name</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-5a5a906566b3f41e4380f856491d9c843ae1fcd04c0be26d7ceb3805aec21377">+1/-1</a>      </td> </tr> </table></details></td></tr><tr><td>Tests</td><td><details><summary>1 files</summary><table> <tr> <td>quick-test.sh<dd><code>Update test script stream name reference</code>                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-c0bfb16cf98bf7ee9339462c2c54e7518086e0adbf2bc0ef1a30315ae9919f20">+1/-1</a>      </td> </tr> </table></details></td></tr><tr><td>Documentation</td><td><details><summary>7 files</summary><table> <tr> <td>TESTING.md<dd><code>Update testing documentation stream references</code>                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-2fd22117bc767137b2b988b14694a0b9c1be7fe91f2174f77fbea9401399a9bc">+3/-3</a>      </td> </tr> <tr> <td>netflow.md<dd><code>Document stream_subjects configuration parameter</code>                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-a64260e87bce20ed3bd93c7b64dac6ff175cdc7c67071276601aa9f6d370d634">+13/-5</a>    </td> </tr> <tr> <td>troubleshooting-guide.md<dd><code>Update troubleshooting stream name references</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-343b87dd0b430b3f99b16d32200c353bb6e3d7bbb185da3c1b3effc3a03e7f2a">+3/-3</a>      </td> </tr> <tr> <td>proposal.md<dd><code>Document NetFlow rule bootstrap change proposal</code>                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-5f35988348767d8e1ae3d0491f17490c5a1b1d126e23faa4619a448fa813540a">+17/-0</a>    </td> </tr> <tr> <td>spec.md<dd><code>Define Docker Compose bootstrap requirements</code>                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-d0da24459c69bf9d9a506887a747df267afb95ae6ce0c890fba998b1442118c3">+11/-0</a>    </td> </tr> <tr> <td>spec.md<dd><code>Define rule bootstrap specification requirements</code>                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-e77d61a4049e817d335c2401a614a799703ff8b17a691c37083f93a5cde75d98">+26/-0</a>    </td> </tr> <tr> <td>tasks.md<dd><code>Document implementation tasks for bootstrap</code>                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-2d941caa9eb5d83d6269a7fd9a0eb5788c6d5389223a9b35ce3487cde1d44244">+8/-0</a>      </td> </tr> </table></details></td></tr><tr><td>Additional files</td><td><details><summary>1 files</summary><table> <tr> <td>netflow_to_ocsf.json</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-f1817cc1d98f34d2d27d99bcc8471124179fd5ed61860e45b87d397ff3e08d9a">[link]</a>    </td> </tr> </table></details></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-02-01 06:26:59 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830466637
Original created: 2026-02-01T06:26:59Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Subject capture escalation Description: The new JetStream management logic updates/creates the stream to include `stream_subjects_resolved()` from runtime config, so if an attacker can modify the collector configuration they could add arbitrary subjects and cause the service to “claim” and retain messages for subjects it should not manage (cross-tenant/cross-service subject capture), expanding blast radius beyond `flows.raw.netflow`. publisher.rs [117-150] Referred Code // Ensure the target stream exists and includes all required subjects let required_subjects = self.config.stream_subjects_resolved(); match js.get_stream(&self.config.stream_name).await { Ok(mut existing_stream) => { let info = existing_stream.info().await?; let mut current_subjects = info.config.subjects.clone(); let mut needs_update = false; for required in &required_subjects { if !current_subjects.contains(required) { current_subjects.push(required.clone()); needs_update = true; } } if needs_update { let mut updated_config = info.config.clone(); updated_config.subjects = current_subjects; js.update_stream(updated_config).await?; js.get_stream(&self.config.stream_name).await?; } ... (clipped 13 lines)
	Mutable image tags Description: The new bootstrap Job pulls container images using mutable `:latest` tags (e.g., `ghcr.io/carverauto/serviceradar-tools:latest` and `ghcr.io/carverauto/serviceradar-zen:latest`) with `imagePullPolicy: Always`, which increases supply-chain risk because a compromised/updated tag can change executed code without a manifest change. serviceradar-zen-rules-bootstrap.yaml [23-38] Referred Code `image: ghcr.io/carverauto/serviceradar-tools:latest imagePullPolicy: Always command: ["/usr/local/bin/wait-for-port"] args: - "--host" - "serviceradar-nats" - "--port" - "4222" - "--attempts" - "30" - "--interval" - "2s" containers: - name: zen-rules-bootstrap image: ghcr.io/carverauto/serviceradar-zen:latest imagePullPolicy: Always`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Swallowed error context: The `match` on `js.get_stream(...)` uses `Err(_)` which discards the underlying error and can mask non-"not found" failures, reducing diagnosability and risking incorrect stream creation behavior. Referred Code match js.get_stream(&self.config.stream_name).await { Ok(mut existing_stream) => { let info = existing_stream.info().await?; let mut current_subjects = info.config.subjects.clone(); let mut needs_update = false; for required in &required_subjects { if !current_subjects.contains(required) { current_subjects.push(required.clone()); needs_update = true; } } if needs_update { let mut updated_config = info.config.clone(); updated_config.subjects = current_subjects; js.update_stream(updated_config).await?; js.get_stream(&self.config.stream_name).await?; } } Err(_) => { ... (clipped 11 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Missing subjects validation: `validate()` enforces non-empty `subject` but does not validate that entries in optional `stream_subjects` are non-empty/valid, allowing potentially invalid external config to reach JetStream stream creation/update. Referred Code `if self.stream_name.is_empty() { anyhow::bail!("stream_name cannot be empty"); } if self.subject.is_empty() { anyhow::bail!("subject cannot be empty"); } Ok(()) } pub fn stream_subjects_resolved(&self) -> Vec<String> { let mut subjects = self .stream_subjects .clone() .unwrap_or_else(\|\| vec![self.subject.clone()]); if !subjects.contains(&self.subject) { subjects.push(self.subject.clone()); } subjects.sort(); subjects.dedup(); subjects }` Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Unstructured audit logs: The new rule installation retry loop logs actions via plain `echo` without structured fields (e.g., actor/user ID, timestamp) needed to reliably reconstruct deployment-time changes. Referred Code local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ --key "$key"; then echo "✓ $key rule installed" return 0 fi echo "✗ Failed to install $key (attempt ${attempt})" attempt=$((attempt + 1)) if [ "$attempt" -le "$max_attempts" ]; then echo "Retrying in ${delay}s..." sleep "$delay" delay=$((delay * 2)) ... (clipped 5 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Non-structured logging: The new logging output for rule installation is plain text (not structured) and may be harder to audit/monitor consistently depending on the logging pipeline requirements. Referred Code `echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ --key "$key"; then echo "✓ $key rule installed" return 0 fi echo "✗ Failed to install $key (attempt ${attempt})" attempt=$((attempt + 1)) if [ "$attempt" -le "$max_attempts" ]; then echo "Retrying in ${delay}s..." sleep "$delay" delay=$((delay * 2))` Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830466637 Original created: 2026-02-01T06:26:59Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary>Subject capture escalation </summary> Description: The new JetStream management logic updates/creates the stream to include <code>stream_subjects_resolved()</code> from runtime config, so if an attacker can modify the collector configuration they could add arbitrary subjects and cause the service to “claim” and retain messages for subjects it should not manage (cross-tenant/cross-service subject capture), expanding blast radius beyond <code>flows.raw.netflow</code>. <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-10dec5866b4bc416c62590bdf2d3ded6c234b8d423ec4aebc70eac891ff0c07dR117-R150'>publisher.rs [117-150]</a> <details open><summary>Referred Code</summary> ```rust // Ensure the target stream exists and includes all required subjects let required_subjects = self.config.stream_subjects_resolved(); match js.get_stream(&self.config.stream_name).await { Ok(mut existing_stream) => { let info = existing_stream.info().await?; let mut current_subjects = info.config.subjects.clone(); let mut needs_update = false; for required in &required_subjects { if !current_subjects.contains(required) { current_subjects.push(required.clone()); needs_update = true; } } if needs_update { let mut updated_config = info.config.clone(); updated_config.subjects = current_subjects; js.update_stream(updated_config).await?; js.get_stream(&self.config.stream_name).await?; } ... (clipped 13 lines) ``` </details></details></td></tr> <tr><td><details><summary>Mutable image tags </summary> Description: The new bootstrap Job pulls container images using mutable <code>:latest</code> tags (e.g., <code>ghcr.io/carverauto/serviceradar-tools:latest</code> and <code>ghcr.io/carverauto/serviceradar-zen:latest</code>) with <code>imagePullPolicy: Always</code>, which increases supply-chain risk because a compromised/updated tag can change executed code without a manifest change. <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-770416d77582af1976dfea996c5cf61015ad2a1ff6add8787473e032f1a98d36R23-R38'>serviceradar-zen-rules-bootstrap.yaml [23-38]</a> <details open><summary>Referred Code</summary> ```yaml image: ghcr.io/carverauto/serviceradar-tools:latest imagePullPolicy: Always command: ["/usr/local/bin/wait-for-port"] args: - "--host" - "serviceradar-nats" - "--port" - "4222" - "--attempts" - "30" - "--interval" - "2s" containers: - name: zen-rules-bootstrap image: ghcr.io/carverauto/serviceradar-zen:latest imagePullPolicy: Always ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=2>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>🔴</td> <td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-10dec5866b4bc416c62590bdf2d3ded6c234b8d423ec4aebc70eac891ff0c07dR119-R150'>Swallowed error context</a>: The <code>match</code> on <code>js.get_stream(...)</code> uses <code>Err(_)</code> which discards the underlying error and can mask non-"not found" failures, reducing diagnosability and risking incorrect stream creation behavior. <details open><summary>Referred Code</summary> ```rust match js.get_stream(&self.config.stream_name).await { Ok(mut existing_stream) => { let info = existing_stream.info().await?; let mut current_subjects = info.config.subjects.clone(); let mut needs_update = false; for required in &required_subjects { if !current_subjects.contains(required) { current_subjects.push(required.clone()); needs_update = true; } } if needs_update { let mut updated_config = info.config.clone(); updated_config.subjects = current_subjects; js.update_stream(updated_config).await?; js.get_stream(&self.config.stream_name).await?; } } Err(_) => { ... (clipped 11 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-ea8fb7fc6e55836ada19b9c1ca26f2a88575289a3fee3005183916a8454d0fc9R154-R174'>Missing subjects validation</a>: <code>validate()</code> enforces non-empty <code>subject</code> but does not validate that entries in optional <code>stream_subjects</code> are non-empty/valid, allowing potentially invalid external config to reach JetStream stream creation/update. <details open><summary>Referred Code</summary> ```rust if self.stream_name.is_empty() { anyhow::bail!("stream_name cannot be empty"); } if self.subject.is_empty() { anyhow::bail!("subject cannot be empty"); } Ok(()) } pub fn stream_subjects_resolved(&self) -> Vec<String> { let mut subjects = self .stream_subjects .clone() .unwrap_or_else(|| vec![self.subject.clone()]); if !subjects.contains(&self.subject) { subjects.push(self.subject.clone()); } subjects.sort(); subjects.dedup(); subjects } ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-74122772ee2960d407d0a0e24ac0cc9d970167ba0f51913e7edf29e092188003R54-R79'>Unstructured audit logs</a>: The new rule installation retry loop logs actions via plain <code>echo</code> without structured fields (e.g., actor/user ID, timestamp) needed to reliably reconstruct deployment-time changes. <details open><summary>Referred Code</summary> ```shell local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ --key "$key"; then echo "✓ $key rule installed" return 0 fi echo "✗ Failed to install $key (attempt ${attempt})" attempt=$((attempt + 1)) if [ "$attempt" -le "$max_attempts" ]; then echo "Retrying in ${delay}s..." sleep "$delay" delay=$((delay * 2)) ... (clipped 5 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2656/files#diff-74122772ee2960d407d0a0e24ac0cc9d970167ba0f51913e7edf29e092188003R59-R74'>Non-structured logging</a>: The new logging output for rule installation is plain text (not structured) and may be harder to audit/monitor consistently depending on the logging pipeline requirements. <details open><summary>Referred Code</summary> ```shell echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ --key "$key"; then echo "✓ $key rule installed" return 0 fi echo "✗ Failed to install $key (attempt ${attempt})" attempt=$((attempt + 1)) if [ "$attempt" -le "$max_attempts" ]; then echo "Retrying in ${delay}s..." sleep "$delay" delay=$((delay * 2)) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2026-02-01 06:28:06 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830468003
Original created: 2026-02-01T06:28:06Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Propagate non-not-found errors Refactor the error handling for `js.get_stream` in `publisher.rs`. Instead of catching all errors with `Err(_)`, specifically handle "not found" errors and propagate all other errors to avoid masking critical issues like permission failures. rust/netflow-collector/src/publisher.rs [119-150] match js.get_stream(&self.config.stream_name).await { - Ok(mut existing_stream) => { - let info = existing_stream.info().await?; - let mut current_subjects = info.config.subjects.clone(); - let mut needs_update = false; - for required in &required_subjects { - if !current_subjects.contains(required) { - current_subjects.push(required.clone()); - needs_update = true; - } - } - if needs_update { - let mut updated_config = info.config.clone(); - updated_config.subjects = current_subjects; - js.update_stream(updated_config).await?; - js.get_stream(&self.config.stream_name).await?; - } - } - Err(_) => { + Ok(mut existing_stream) => { /* same update logic / } + Err(e) if is_not_found_error(&e) => { let stream_config = jetstream::stream::Config { name: self.config.stream_name.clone(), subjects: required_subjects.clone(), storage: StorageType::File, max_bytes: self.config.stream_max_bytes, max_age: Duration::from_secs(24 60 * 60), ..Default::default() }; js.get_or_create_stream(stream_config).await?; } + Err(e) => return Err(e.into()), } Apply / Chat Suggestion importance[1-10]: 8 __ Why: This is a critical improvement to error handling. The current code's `Err(_)` branch masks important errors like authentication or permission failures, which would be difficult to debug. The suggestion correctly proposes to handle only "not found" errors and propagate all others.	Medium
	Simplify stream creation and update Simplify the NATS stream creation and update logic in `publisher.rs` by replacing the complex `match` block with a single, atomic `get_or_create_stream` call. rust/netflow-collector/src/publisher.rs [148] `+let required_subjects = self.config.stream_subjects_resolved(); +let stream_config = jetstream::stream::Config { + name: self.config.stream_name.clone(), + subjects: required_subjects, + storage: StorageType::File, + max_bytes: self.config.stream_max_bytes, + max_age: Duration::from_secs(24 * 60 * 60), // 24 hours + ..Default::default() +}; + js.get_or_create_stream(stream_config).await?;` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that the complex logic for creating/updating a NATS stream can be replaced by a single, atomic `get_or_create_stream` call, which simplifies the code and improves maintainability.	Medium
	Improve subject resolution logic efficiency Refactor `stream_subjects_resolved` in `config.rs` to use a `HashSet` for more efficient and idiomatic deduplication of subjects, instead of sorting and calling `dedup()` on a `Vec`. rust/netflow-collector/src/config.rs [163-174] +use std::collections::HashSet; + pub fn stream_subjects_resolved(&self) -> Vec<String> { - let mut subjects = self + let mut subjects: HashSet<String> = self .stream_subjects - .clone() - .unwrap_or_else(\|\| vec![self.subject.clone()]); - if !subjects.contains(&self.subject) { - subjects.push(self.subject.clone()); - } - subjects.sort(); - subjects.dedup(); - subjects + .as_deref() + .unwrap_or(&[]) + .iter() + .cloned() + .collect(); + subjects.insert(self.subject.clone()); + subjects.into_iter().collect() } Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion offers a more idiomatic and potentially more performant way to deduplicate subjects using a `HashSet`. While the current implementation is correct, this change improves code quality and clarity.	Low
High-level	Consolidate duplicated rule installation logic The shell script logic for installing Zen rules with retries is duplicated in Docker, Helm, and Kubernetes configurations. This logic should be consolidated into a shared script or built into the `zen-put-rule` tool to improve maintainability. Examples: docker/compose/zen-install-rules.sh [54-81] `local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ ... (clipped 18 lines)` helm/serviceradar/templates/zen-rules-bootstrap-job.yaml [71-98] `local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing rule: $key for subject: $subject (attempt ${attempt}/${max_attempts})" if /usr/local/bin/zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ ... (clipped 18 lines)` Solution Walkthrough: Before: # In docker/compose/zen-install-rules.sh install_rule() { # ... retry logic ... while [ "$attempt" -le "$max_attempts" ]; do zen-put-rule ... done } # In helm/.../zen-rules-bootstrap-job.yaml (inline script) install_rule() { # ... identical retry logic ... while [ "$attempt" -le "$max_attempts" ]; do /usr/local/bin/zen-put-rule ... done } # In k8s/.../serviceradar-zen-rules-bootstrap.yaml (inline script) install_rule() { # ... identical retry logic ... while [ "$attempt" -le "$max_attempts" ]; do /usr/local/bin/zen-put-rule ... done } After: `# In a new shared script, e.g., /usr/local/bin/install-zen-rule.sh #!/bin/sh # ... retry logic ... while [ "$attempt" -le "$max_attempts" ]; do zen-put-rule "$@" # ... done # In docker/compose/zen-install-rules.sh install_rule() { install-zen-rule.sh --file "$1" --subject "$2" --key "$3" } # In helm/.../zen-rules-bootstrap-job.yaml # and k8s/.../serviceradar-zen-rules-bootstrap.yaml install_rule() { install-zen-rule.sh --file "$1" --subject "$2" --key "$3" }` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies significant code duplication of the retry logic across multiple deployment configuration files, which impacts future maintainability.	Medium
Possible issue	Ensure script exits on error Add `set -e` to `docker/compose/zen-install-rules.sh` to ensure the script exits immediately if a rule installation fails, preventing silent failures. docker/compose/zen-install-rules.sh [87-93] `+#!/bin/bash +set -e + install_rule "$DATA_DIR/strip_full_message.json" "logs.syslog" "strip_full_message" install_rule "$DATA_DIR/cef_severity.json" "logs.syslog" "cef_severity" install_rule "$DATA_DIR/snmp_severity.json" "logs.snmp" "snmp_severity" install_rule "$DATA_DIR/passthrough.json" "logs.otel" "passthrough" install_rule "$DATA_DIR/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf" echo "✅ Initial zen rules installation completed successfully"` `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies that the script would not fail if an `install_rule` command fails, leading to a silent error in the deployment process. Adding `set -e` is a crucial fix for script robustness.	Medium
Possible issue	Exit Job on install failures Add strict mode (`set -euo pipefail`) and explicit exit checks (`\|\| exit 1`) to the `install_rule` commands in `zen-rules-bootstrap-job.yaml` to ensure the Job fails upon rule installation failure. helm/serviceradar/templates/zen-rules-bootstrap-job.yaml [103-117] -install_rule "${RULES_DIR}/strip_full_message.json" "logs.syslog" "strip_full_message" -install_rule "${RULES_DIR}/cef_severity.json" "logs.syslog" "cef_severity" -install_rule "${RULES_DIR}/snmp_severity.json" "logs.snmp" "snmp_severity" -install_rule "${RULES_DIR}/passthrough.json" "logs.otel" "passthrough" -install_rule "${RULES_DIR}/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf" +set -euo pipefail + +install_rule "${RULES_DIR}/strip_full_message.json" "logs.syslog" "strip_full_message" \|\| exit 1 +install_rule "${RULES_DIR}/cef_severity.json" "logs.syslog" "cef_severity" \|\| exit 1 +install_rule "${RULES_DIR}/snmp_severity.json" "logs.snmp" "snmp_severity" \|\| exit 1 +install_rule "${RULES_DIR}/passthrough.json" "logs.otel" "passthrough" \|\| exit 1 +install_rule "${RULES_DIR}/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf"\|\| exit 1 echo "✅ Zen rules bootstrap completed successfully" `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies that the bootstrap script within the Kubernetes Job manifest lacks error handling, which could cause the Job to succeed silently even if rule installation fails. This is a significant reliability improvement.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830468003 Original created: 2026-02-01T06:28:06Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=3>General</td> <td> <details><summary>Propagate non-not-found errors</summary> ___ **Refactor the error handling for <code>js.get_stream</code> in <code>publisher.rs</code>. Instead of catching all errors with <code>Err(_)</code>, specifically handle "not found" errors and propagate all other errors to avoid masking critical issues like permission failures.** [rust/netflow-collector/src/publisher.rs [119-150]](https://github.com/carverauto/serviceradar/pull/2656/files#diff-10dec5866b4bc416c62590bdf2d3ded6c234b8d423ec4aebc70eac891ff0c07dR119-R150) ```diff match js.get_stream(&self.config.stream_name).await { - Ok(mut existing_stream) => { - let info = existing_stream.info().await?; - let mut current_subjects = info.config.subjects.clone(); - let mut needs_update = false; - for required in &required_subjects { - if !current_subjects.contains(required) { - current_subjects.push(required.clone()); - needs_update = true; - } - } - if needs_update { - let mut updated_config = info.config.clone(); - updated_config.subjects = current_subjects; - js.update_stream(updated_config).await?; - js.get_stream(&self.config.stream_name).await?; - } - } - Err(_) => { + Ok(mut existing_stream) => { /* same update logic */ } + Err(e) if is_not_found_error(&e) => { let stream_config = jetstream::stream::Config { name: self.config.stream_name.clone(), subjects: required_subjects.clone(), storage: StorageType::File, max_bytes: self.config.stream_max_bytes, max_age: Duration::from_secs(24 * 60 * 60), ..Default::default() }; js.get_or_create_stream(stream_config).await?; } + Err(e) => return Err(e.into()), } ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This is a critical improvement to error handling. The current code's `Err(_)` branch masks important errors like authentication or permission failures, which would be difficult to debug. The suggestion correctly proposes to handle only "not found" errors and propagate all others. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Simplify stream creation and update</summary> ___ **Simplify the NATS stream creation and update logic in <code>publisher.rs</code> by replacing the complex <code>match</code> block with a single, atomic <code>get_or_create_stream</code> call.** [rust/netflow-collector/src/publisher.rs [148]](https://github.com/carverauto/serviceradar/pull/2656/files#diff-10dec5866b4bc416c62590bdf2d3ded6c234b8d423ec4aebc70eac891ff0c07dR148-R148) ```diff +let required_subjects = self.config.stream_subjects_resolved(); +let stream_config = jetstream::stream::Config { + name: self.config.stream_name.clone(), + subjects: required_subjects, + storage: StorageType::File, + max_bytes: self.config.stream_max_bytes, + max_age: Duration::from_secs(24 * 60 * 60), // 24 hours + ..Default::default() +}; + js.get_or_create_stream(stream_config).await?; ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly points out that the complex logic for creating/updating a NATS stream can be replaced by a single, atomic `get_or_create_stream` call, which simplifies the code and improves maintainability. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Improve subject resolution logic efficiency</summary> ___ **Refactor <code>stream_subjects_resolved</code> in <code>config.rs</code> to use a <code>HashSet</code> for more efficient and idiomatic deduplication of subjects, instead of sorting and calling <code>dedup()</code> on a <code>Vec</code>.** [rust/netflow-collector/src/config.rs [163-174]](https://github.com/carverauto/serviceradar/pull/2656/files#diff-ea8fb7fc6e55836ada19b9c1ca26f2a88575289a3fee3005183916a8454d0fc9R163-R174) ```diff +use std::collections::HashSet; + pub fn stream_subjects_resolved(&self) -> Vec<String> { - let mut subjects = self + let mut subjects: HashSet<String> = self .stream_subjects - .clone() - .unwrap_or_else(|| vec![self.subject.clone()]); - if !subjects.contains(&self.subject) { - subjects.push(self.subject.clone()); - } - subjects.sort(); - subjects.dedup(); - subjects + .as_deref() + .unwrap_or(&[]) + .iter() + .cloned() + .collect(); + subjects.insert(self.subject.clone()); + subjects.into_iter().collect() } ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion offers a more idiomatic and potentially more performant way to deduplicate subjects using a `HashSet`. While the current implementation is correct, this change improves code quality and clarity. </details></details></td><td align=center>Low </td></tr><tr><td rowspan=1>High-level</td> <td> <details><summary>Consolidate duplicated rule installation logic</summary> ___ **The shell script logic for installing Zen rules with retries is duplicated in Docker, Helm, and Kubernetes configurations. This logic should be consolidated into a shared script or built into the <code>zen-put-rule</code> tool to improve maintainability.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-74122772ee2960d407d0a0e24ac0cc9d970167ba0f51913e7edf29e092188003R54-R81">docker/compose/zen-install-rules.sh [54-81]</a> </summary> ```shell local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing $key rule for $subject (attempt ${attempt}/${max_attempts})..." if zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ ... (clipped 18 lines) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2656/files#diff-1eace8b963d2ecd5105de74dab5a28d329243800e2b5c005328f54939128a2d3R71-R98">helm/serviceradar/templates/zen-rules-bootstrap-job.yaml [71-98]</a> </summary> ```yaml local attempt=1 local max_attempts=6 local delay=2 while [ "$attempt" -le "$max_attempts" ]; do echo "Installing rule: $key for subject: $subject (attempt ${attempt}/${max_attempts})" if /usr/local/bin/zen-put-rule \ --config "$CONFIG_PATH" \ --file "$file" \ --subject "$subject" \ ... (clipped 18 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # In docker/compose/zen-install-rules.sh install_rule() { # ... retry logic ... while [ "$attempt" -le "$max_attempts" ]; do zen-put-rule ... done } # In helm/.../zen-rules-bootstrap-job.yaml (inline script) install_rule() { # ... identical retry logic ... while [ "$attempt" -le "$max_attempts" ]; do /usr/local/bin/zen-put-rule ... done } # In k8s/.../serviceradar-zen-rules-bootstrap.yaml (inline script) install_rule() { # ... identical retry logic ... while [ "$attempt" -le "$max_attempts" ]; do /usr/local/bin/zen-put-rule ... done } ``` #### After: ```yaml # In a new shared script, e.g., /usr/local/bin/install-zen-rule.sh #!/bin/sh # ... retry logic ... while [ "$attempt" -le "$max_attempts" ]; do zen-put-rule "$@" # ... done # In docker/compose/zen-install-rules.sh install_rule() { install-zen-rule.sh --file "$1" --subject "$2" --key "$3" } # In helm/.../zen-rules-bootstrap-job.yaml # and k8s/.../serviceradar-zen-rules-bootstrap.yaml install_rule() { install-zen-rule.sh --file "$1" --subject "$2" --key "$3" } ``` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies significant code duplication of the retry logic across multiple deployment configuration files, which impacts future maintainability. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>Possible issue</td> <td> <details><summary>Ensure script exits on error</summary> ___ **Add <code>set -e</code> to <code>docker/compose/zen-install-rules.sh</code> to ensure the script exits immediately if a rule installation fails, preventing silent failures.** [docker/compose/zen-install-rules.sh [87-93]](https://github.com/carverauto/serviceradar/pull/2656/files#diff-74122772ee2960d407d0a0e24ac0cc9d970167ba0f51913e7edf29e092188003R87-R93) ```diff +#!/bin/bash +set -e + install_rule "$DATA_DIR/strip_full_message.json" "logs.syslog" "strip_full_message" install_rule "$DATA_DIR/cef_severity.json" "logs.syslog" "cef_severity" install_rule "$DATA_DIR/snmp_severity.json" "logs.snmp" "snmp_severity" install_rule "$DATA_DIR/passthrough.json" "logs.otel" "passthrough" install_rule "$DATA_DIR/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf" echo "✅ Initial zen rules installation completed successfully" ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: This suggestion correctly identifies that the script would not fail if an `install_rule` command fails, leading to a silent error in the deployment process. Adding `set -e` is a crucial fix for script robustness. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Exit Job on install failures</summary> ___ **Add strict mode (<code>set -euo pipefail</code>) and explicit exit checks (<code>|| exit 1</code>) to the <code>install_rule</code> commands in <code>zen-rules-bootstrap-job.yaml</code> to ensure the Job fails upon rule installation failure.** [helm/serviceradar/templates/zen-rules-bootstrap-job.yaml [103-117]](https://github.com/carverauto/serviceradar/pull/2656/files#diff-1eace8b963d2ecd5105de74dab5a28d329243800e2b5c005328f54939128a2d3R103-R117) ```diff -install_rule "${RULES_DIR}/strip_full_message.json" "logs.syslog" "strip_full_message" -install_rule "${RULES_DIR}/cef_severity.json" "logs.syslog" "cef_severity" -install_rule "${RULES_DIR}/snmp_severity.json" "logs.snmp" "snmp_severity" -install_rule "${RULES_DIR}/passthrough.json" "logs.otel" "passthrough" -install_rule "${RULES_DIR}/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf" +set -euo pipefail + +install_rule "${RULES_DIR}/strip_full_message.json" "logs.syslog" "strip_full_message" || exit 1 +install_rule "${RULES_DIR}/cef_severity.json" "logs.syslog" "cef_severity" || exit 1 +install_rule "${RULES_DIR}/snmp_severity.json" "logs.snmp" "snmp_severity" || exit 1 +install_rule "${RULES_DIR}/passthrough.json" "logs.otel" "passthrough" || exit 1 +install_rule "${RULES_DIR}/netflow_to_ocsf.json" "flows.raw.netflow" "netflow_to_ocsf"|| exit 1 echo "✅ Zen rules bootstrap completed successfully" ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: This suggestion correctly identifies that the bootstrap script within the Kubernetes Job manifest lacks error handling, which could cause the Job to succeed silently even if rule installation fails. This is a significant reliability improvement. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>

qodo-code-review[bot] commented

2026-02-01 08:14:30 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830593850
Original created: 2026-02-01T08:14:30Z

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Configure SRQL fixture database for tests [❌]

Failed test name: ""

Failure summary:

The action failed during environment/fixture setup because the required secret
SRQL_TEST_DATABASE_CA_CERT was not configured.
- The log explicitly reports:
SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. (line 676)
- The
workflow then exited with exit code 1 (line 677).

Relevant error logs:

1:  Runner name: 'arc-runner-set-hk6mk-runner-5w4m8'
2:  Runner group name: 'Default'
...

139:  ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m
140:  ^[[36;1m  sudo apt-get update^[[0m
141:  ^[[36;1m  sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m
142:  ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m
143:  ^[[36;1m  sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
144:  ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m
145:  ^[[36;1m  sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
146:  ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m
147:  ^[[36;1m  sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
148:  ^[[36;1melse^[[0m
149:  ^[[36;1m  echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m
150:  ^[[36;1m  exit 1^[[0m
151:  ^[[36;1mfi^[[0m
152:  ^[[36;1m^[[0m
153:  ^[[36;1mensure_pkg_config^[[0m
154:  ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m
155:  shell: /usr/bin/bash -e {0}
...

356:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
357:  env:
358:  BUILDBUDDY_ORG_API_KEY: ***
359:  SRQL_TEST_DATABASE_URL: ***
360:  SRQL_TEST_ADMIN_URL: ***
361:  SRQL_TEST_DATABASE_CA_CERT: 
362:  DOCKERHUB_USERNAME: ***
363:  DOCKERHUB_TOKEN: ***
364:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
365:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
366:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
367:  ##[endgroup]
368:  ##[group]Run : install rustup if needed
369:  ^[[36;1m: install rustup if needed^[[0m
370:  ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m
371:  ^[[36;1m  curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m
372:  ^[[36;1m  echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m
...

512:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
513:  env:
514:  BUILDBUDDY_ORG_API_KEY: ***
515:  SRQL_TEST_DATABASE_URL: ***
516:  SRQL_TEST_ADMIN_URL: ***
517:  SRQL_TEST_DATABASE_CA_CERT: 
518:  DOCKERHUB_USERNAME: ***
519:  DOCKERHUB_TOKEN: ***
520:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
521:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
522:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
523:  CARGO_HOME: /home/runner/.cargo
524:  CARGO_INCREMENTAL: 0
525:  CARGO_TERM_COLOR: always
526:  ##[endgroup]
527:  ##[group]Run : work around spurious network errors in curl 8.0
528:  ^[[36;1m: work around spurious network errors in curl 8.0^[[0m
529:  ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m
...

580:  SRQL_TEST_DATABASE_CA_CERT: 
581:  DOCKERHUB_USERNAME: ***
582:  DOCKERHUB_TOKEN: ***
583:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
584:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
585:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
586:  CARGO_HOME: /home/runner/.cargo
587:  CARGO_INCREMENTAL: 0
588:  CARGO_TERM_COLOR: always
589:  ##[endgroup]
590:  Attempting to download 1.x...
591:  Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64
592:  Adding to the cache ...
593:  Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64
594:  Added bazelisk to the path
595:  ##[warning]Failed to restore: Cache service responded with 400
596:  Restored bazelisk cache dir @ /home/runner/.cache/bazelisk
...

662:  env:
663:  BUILDBUDDY_ORG_API_KEY: ***
664:  SRQL_TEST_DATABASE_URL: ***
665:  SRQL_TEST_ADMIN_URL: ***
666:  SRQL_TEST_DATABASE_CA_CERT: 
667:  DOCKERHUB_USERNAME: ***
668:  DOCKERHUB_TOKEN: ***
669:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
670:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
671:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
672:  CARGO_HOME: /home/runner/.cargo
673:  CARGO_INCREMENTAL: 0
674:  CARGO_TERM_COLOR: always
675:  ##[endgroup]
676:  SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.
677:  ##[error]Process completed with exit code 1.
678:  Post job cleanup.

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2656#issuecomment-3830593850 Original created: 2026-02-01T08:14:30Z --- ## CI Feedback 🧐 A test triggered by this PR failed. Here is an AI-generated analysis of the failure: <table><tr><td> **Action:** build</td></tr> <tr><td> **Failed stage:** [Configure SRQL fixture database for tests](https://github.com/carverauto/serviceradar/actions/runs/21559465935/job/62121109900) [❌] </td></tr> <tr><td> **Failed test name:** "" </td></tr> <tr><td> **Failure summary:** The action failed during environment/fixture setup because the required secret <code>SRQL_TEST_DATABASE_CA_CERT</code> was not configured. - The log explicitly reports: <code>SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.</code> (line 676) - The workflow then exited with <code>exit code 1</code> (line 677). </td></tr> <tr><td> <details><summary>Relevant error logs:</summary> ```yaml 1: Runner name: 'arc-runner-set-hk6mk-runner-5w4m8' 2: Runner group name: 'Default' ... 139: ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m 140: ^[[36;1m sudo apt-get update^[[0m 141: ^[[36;1m sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m 142: ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m 143: ^[[36;1m sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 144: ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m 145: ^[[36;1m sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 146: ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m 147: ^[[36;1m sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 148: ^[[36;1melse^[[0m 149: ^[[36;1m echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m 150: ^[[36;1m exit 1^[[0m 151: ^[[36;1mfi^[[0m 152: ^[[36;1m^[[0m 153: ^[[36;1mensure_pkg_config^[[0m 154: ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m 155: shell: /usr/bin/bash -e {0} ... 356: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 357: env: 358: BUILDBUDDY_ORG_API_KEY: *** 359: SRQL_TEST_DATABASE_URL: *** 360: SRQL_TEST_ADMIN_URL: *** 361: SRQL_TEST_DATABASE_CA_CERT: 362: DOCKERHUB_USERNAME: *** 363: DOCKERHUB_TOKEN: *** 364: TEST_CNPG_DATABASE: serviceradar_web_ng_test 365: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 366: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 367: ##[endgroup] 368: ##[group]Run : install rustup if needed 369: ^[[36;1m: install rustup if needed^[[0m 370: ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m 371: ^[[36;1m curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m 372: ^[[36;1m echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m ... 512: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 513: env: 514: BUILDBUDDY_ORG_API_KEY: *** 515: SRQL_TEST_DATABASE_URL: *** 516: SRQL_TEST_ADMIN_URL: *** 517: SRQL_TEST_DATABASE_CA_CERT: 518: DOCKERHUB_USERNAME: *** 519: DOCKERHUB_TOKEN: *** 520: TEST_CNPG_DATABASE: serviceradar_web_ng_test 521: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 522: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 523: CARGO_HOME: /home/runner/.cargo 524: CARGO_INCREMENTAL: 0 525: CARGO_TERM_COLOR: always 526: ##[endgroup] 527: ##[group]Run : work around spurious network errors in curl 8.0 528: ^[[36;1m: work around spurious network errors in curl 8.0^[[0m 529: ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m ... 580: SRQL_TEST_DATABASE_CA_CERT: 581: DOCKERHUB_USERNAME: *** 582: DOCKERHUB_TOKEN: *** 583: TEST_CNPG_DATABASE: serviceradar_web_ng_test 584: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 585: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 586: CARGO_HOME: /home/runner/.cargo 587: CARGO_INCREMENTAL: 0 588: CARGO_TERM_COLOR: always 589: ##[endgroup] 590: Attempting to download 1.x... 591: Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64 592: Adding to the cache ... 593: Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64 594: Added bazelisk to the path 595: ##[warning]Failed to restore: Cache service responded with 400 596: Restored bazelisk cache dir @ /home/runner/.cache/bazelisk ... 662: env: 663: BUILDBUDDY_ORG_API_KEY: *** 664: SRQL_TEST_DATABASE_URL: *** 665: SRQL_TEST_ADMIN_URL: *** 666: SRQL_TEST_DATABASE_CA_CERT: 667: DOCKERHUB_USERNAME: *** 668: DOCKERHUB_TOKEN: *** 669: TEST_CNPG_DATABASE: serviceradar_web_ng_test 670: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 671: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 672: CARGO_HOME: /home/runner/.cargo 673: CARGO_INCREMENTAL: 0 674: CARGO_TERM_COLOR: always 675: ##[endgroup] 676: SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. 677: ##[error]Process completed with exit code 1. 678: Post job cleanup. ``` </details></td></tr></table>