Renovate webhook subscribe security advisory event but get invalid HTTP Response: 400

[Xyz426]

Hi team, very great tool! I'm having some problems with renovate and would like to ask you :)

our self-host renovate app's webhook subscribed security advisory as suggested by the official documentation.

But found that the received security advisory event has regular HTTP 400 error as below.

And I checked in renovate config docs, but didn't find any security advisory related information, just found the vulnerabilityalerts configuration, and it doesn’t suggest subscribing to the security advisory.

I wonder if anyone can suggest if it is necessary to subscribe security advisory and where is it used in renovate? And why there is a regular 400 error?

[rarkins]

Is it only the security advisory which gets an error? And all other webhook deliver fine?

[Xyz426]

Wow, such a quick reply!

Yes, other webhooks work fine.

And for security advisory webhook events, it sometimes succeeds and sometimes fails to return HTTP 400.

[rarkins]

It's very strange that the signature would fail for some and not others. Most likely it indicates a GitHub bug rather than Renovate. I guess they don't show the signatures in the logs? i.e. no way to confirm manually of the problem?

If the 400s are causing a problem then you could turn off dependency alert events - it won't have any significant effect.

[Xyz426]

👍 👍 👍
Yes, I can't confirm the problem...

Thanks for letting me know, I will turn off subscribing to the Security Advisory webhooks event.

The last question, because the official documentation recommends subscribing to security advisory events, but I haven't found the place where renovate need to use it. Could you please tell me why the official recommendation is?

[rarkins]

Renovate can run on a repo if it receives such an alert. I don't recall if it does that or it yet or if it's reserved for future use

[Xyz426]

At present it seems that there is no, I only find vulnerabilityalerts (but it has nothing to do with security advisory event)

Thanks for the reply, I will close this issue :)

[JoeJennings]

@rarkins -> I'm seeing this same issue, it's pretty consistent that the GitHub security_advisory webhooks error with 'Failed to verify signature'; as the OP(@Xyz426) observed a few succeed though I'm not seeing many successes. All other web hooks don't seem to have this issue only the security_advisory ones. I'm not very familiar with TypeScript and the various modules/projects being used by Renovate to verify the HMAC signature, so my efforts to try and investigate this haven't been a success yet. I'm more familiar with Ruby so I created a simple Ruby/Sinatra app leveraging the sinatra-github_webhooks gem and configured the Renovate GitHub app webhook to point to it. Then using the GitHub Recent Deliveries 'Redeliver' option sent (from GitHub) the webhook that fails when received by Renovate to my local test app, to my surprise the test app was able to verify the signature every time.

A few interesting observations:

1. The Renovate debug logs only log out 'DEBUG: LOG_CONTEXT: undefined' when the signature fails to verify. Which isn't particularly helpful.
2. If I set logging to 'trace' then 'TRACE: Event payload' and the web hook payload is logged out. Unfortunately, nothing useful there to help me determine what code is attempting the signature verification or what is going wrong, at least for my level of skills and experience with TypeScript code.
3. GitHub webhooks send 2 header signatures, examples:

• X-Hub-Signature: sha1=6ee7836b0fc9a81c7cd1030460fd09f46b73318e
• X-Hub-Signature-256: sha256=e19a6f38e4aaf78c3ab2185e76ef16971a219fa6c4763642446e66a72c811fe1

I'm thinking the 'X-Hub-Signature' is legacy and left in for compatibility with older code.

My test app was able to verify both the sha1 and sha256 for several different security_advisory webhooks. Though I had to tweak the underlying rack-github_webhooks gem to verify 'X-Hub-Signature' as it only supports the 'X-Hub-Signature-256'.

Some conclusions:

1. It is possible to consistently verify these GitHub security_advisory webhooks, but whatever component Renovate is using for this doesn't seem to be able to.
2. It is odd that this appears to only occur with security_advisory webhooks, which would lean me to believe that perhaps there is an issue with them except that my test app has no problems verifying them. I haven't been able to determine what might be different with these security_advisory webhooks/signatures.

Questions

1. Should I even care about this? The OP alludes that Renovate might not be doing anything with these security_advisory webhooks, can this be confirmed?
2. This is probably a dumb question. How does Renovate listen for webhooks, the webhook path is '.../webhook', but when I search for '/webhook' in Renovate code I'm not able to locate it. My guess is it resides in an underlying component maybe or its generated somehow?