Sensitive data is not audit-logged if read via calculated element

[patricebender]

it is possible to circumvent audit-logging of sensitive data, if the data is read via a calculated element.

I have created a sample which illustrates the problem. In the incidents-app, the credit card number of the customer is exposed in Incidents via calculated element.. In the sample, audit-logging has been added as well as the data-privacy annotations.

Steps to reproduce

• git clone https://github.com/cap-js/incidents-app.git && cd incidents-app
• git checkout patrice/calc
• npm i
• cds watch
• Read sensitive data directly and observe audit-logging
  • http://localhost:4004/odata/v4/processor/Customers
• Read sensitive data indirectly via calculated element and observe that no read event is logged
  • http://localhost:4004/odata/v4/processor/Incidents

---

→ Logs for direct read [odata] - GET /odata/v4/processor/Customers:

[audit-log] - SensitiveDataRead: {
  data_subject: {
    id: { ID: '1004100' },
    role: 'Customer',
    type: 'ProcessorService.Customers'
  },
  object: { type: 'ProcessorService.Customers', id: { ID: '1004100' } },
  attributes: [ { name: 'creditCardNo' } ],
  uuid: '6c05ad60-7dc8-41d0-bc1b-bd5fa7f549ba',
  tenant: 't1',
  user: 'alice',
  time: 2024-06-20T09:26:51.333Z
}
…

→ No logs for indirect read [odata] - GET /odata/v4/processor/Incidents, which exposes the credit card number of the customer:

{
  "@odata.context": "$metadata#Incidents",
  "value": [
    {
      "ID": "3583f982-d7df-4aad-ab26-301d4a157cd7",
      "createdAt": "2024-06-20T09:33:09.664Z",
      "createdBy": "anonymous",
      "modifiedAt": "2024-06-20T09:33:09.664Z",
      "modifiedBy": "anonymous",
      "customerCreditCardNo": "3456789012345678", // 😱
      "customer_ID": "1004100",
      "title": "Solar panel broken",
      "urgency_code": "H",
      "status_code": "I",
      "HasActiveEntity": false,
      "HasDraftEntity": false,
      "IsActiveEntity": true
    },
    …
  ]
}

[sjvans]

hi @patricebender

you'd need to annotate such calculated properties (and their carrying entities) explicitly

[patricebender]

Okay, do you think it would make sense to document this somewhere? I was not aware of this and had expected it to work out of the box.

Also, the annotation is propagated to the calculated element, why not leverage this?

entity Authors {
    key ID         : Integer;
        books      : Association to many Books
                         on books.author = $self;
        creditCard : Int16 @PersonalData.IsPotentiallySensitive;
}

entity Books {
    key ID     : Integer;
        author : Association to Authors;
        title  : String;
        authorCreditCardNumber = author.creditCard;
}

❯ bin/cdsc.js e.cds
Debugger attached.
{
  "definitions": {
    "Authors": {
      "kind": "entity",
      "elements": {
        …
        "creditCard": {
          "@PersonalData.IsPotentiallySensitive": true,
          "type": "cds.Int16"
        }
      }
    },
    "Books": {
      "kind": "entity",
      "elements": {
       …
        "authorCreditCardNumber": {
          "@PersonalData.IsPotentiallySensitive": true, // ⬅️
          "type": "cds.Int16",
          "value": {
            "ref": [
              "author",
              "creditCard"
            ]
          }
        }
      }
    }
  },
  "meta": {
    "creator": "CDS Compiler v5.0.1"
  },
  "$version": "2.0"
}

[sjvans]

it is documented in Annotating Personal Data. you cannot guess the entity-level annotation (e.g., personal data or personal data details?). hence, you need to add the annotations explicitly. repeating propagated annotations is not necessary, but i'd always annotate everything in the same location.