diff --git a/.github/workflows/secrets-detection.yaml b/.github/workflows/secrets-detection.yaml index 123f915..a2fde8f 100644 --- a/.github/workflows/secrets-detection.yaml +++ b/.github/workflows/secrets-detection.yaml @@ -47,7 +47,7 @@ jobs: detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \ --exclude-files '\.secrets..*' \ --exclude-files '\.git.*' \ - --exclude-files 'target' + --exclude-files 'target' \ --exclude-files '\.pre-commit-config.yaml' # if there is any difference between the known and newly detected secrets, break the build diff --git a/README.md b/README.md index fec2dba..f49c596 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ _Installation instructions here. Include any system-wide requirements (`bres ins _Basic usage instructions here. If possible, make it so your program works correctly "out of the box" as an executable `.jar`, or as a drop-in `.war`, etc., without any additional configuration._ +_An example `log4j.properties` file is in `src/main/resources`; mention how to customize it as needed—or delete it if it doesn't apply to your app._ + ## 👥 Contributing @@ -81,11 +83,13 @@ to produce a complete package. This runs all the phases necessary, including com - `install` - install into your local repository - `deploy` - deploy to a remote repository — note that the Roundup action does this automatically for releases -#### :guardsman: Secrets Detection Setup and Update +#### 💂‍♂️ Secrets Detection Setup and Update + The PDS uses [Detect Secrets](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/)) to help prevent committing information to a repository that should remain secret. For Detect Secrets to work, there is a one-time setup required to your personal global Git configuration, as well as several steps to create or update the **required** `.secrets.baseline` file needed to avoid false positive failures of the software. See [the wiki entry on Detect Secrets](https://github.com/NASA-PDS/nasa-pds.github.io/wiki/Git-and-Github-Guide#detect-secrets) to learn how to do this. + #### 🪝 Pre-Commit Hooks This package comes with a configuration for [Pre-Commit](https://pre-commit.com/), a system for automating and standardizing `git` hooks for code linting, security scanning, etc. Here in this Java template repository, we use Pre-Commit with [Detect Secrets](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/security/secrets-detection/) to prevent the accidental committing or commit messages containing secrets like API keys and passwords. diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties new file mode 100644 index 0000000..bd0a597 --- /dev/null +++ b/src/main/resources/log4j.properties @@ -0,0 +1,62 @@ +# Example log4j.properties +# ======================== +# +# This is an example `log4j.properties` file that serves as a starting point +# for your own application. It sets up the following: +# +# - Default log level is `WARN`, which is reasonable +# - Default logging is to the standard error output (`stderr`), which is +# what you want¹ +# +# The possible log levels are (listed in priority level): +# +# - `FATAL`: the most severe; the application will abort +# - `ERROR`: a significant problem that requires attention +# - `WARN`: potentially harmful and worth noting but not necessarily a failure +# - `INFO`: general information about app progress +# - `DEBUG`: detailed info useful for developers +# - `TRACE`: even more detail than `DEBUG` +# +# There are special levels `OFF` and `ALL` which do what you expect. +# +# There is an additional appender commented-out below; feel free to enable it +# and/or customize it. +# +# Below that are examples showing how to fine-tune the log levels per-package. + + +log4j.rootCategory=WARN, console + + +# Console Logging +# --------------- + +log4j.appender.console = org.apache.log4j.ConsoleAppender +log4j.appender.console.layout = org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern = %d{yyyy-MM-dd HH:mm:ss} [%-5p] (%F:%M:%L) %m%n + + +# Example Rolling File Logging +# ---------------------------- +# +# This logs to a file named `logs/app.log.2024-01-01`, etc., making a new file +# each day. If you comment this out, add `, rolling` to the `log4j.rootCategory` +# or to a package-specific declaration. +# +# log4j.appender.rolling = org.apache.log4j.DailyRollingFileAppender +# log4j.appender.rolling.File = logs/app.log +# log4j.appender.rolling.Append = true +# log4j.appender.rolling.DatePattern = '.'yyyy-MM-dd +# log4j.appender.rolling.layout = org.apache.log4j.PatternLayout +# log4j.appender.rolling.layout.ConversionPattern = %d{yyyy-MM-dd HH:mm:ss} [%-5p] (%F:%M:%L) %m%n + + +# Example Package-Level Directives +# -------------------------------- +# +# These show examples of how to on `DEBUG` logging for one module (up from the +# default of `WARN`) for the `gov.nasa.pds.xml.utils` package and completely +# turn off logging for all packages/sub-packages under `com.nickelback`: +# +# log4j.logger.gov.nasa.pds.xml.utils = DEBUG +# log4j.logger.com.nickelback = OFF