[AC-3006] Splunk app UI rewrite

[mzieniukbw]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/AC-3006

📔 Objective

Rewrite the Splunk UI of the Bitwarden Event Logs application.
Technology: Node, Angular v18, Tailwind
Rewrite Benefits:

• Unified tech stack
• Better User Experience (visually nicer and consistent)
• Validation of fields (required fields, email, server url validations)
• Better error handling
• Reads the app configuration on load (Server Url, index, date)

ℹ️ Notes

• Splunk SDK does not support TypeScript. JS support via import or require also does not work, so splunk sdk is imported during build in form of splunkjs global variable. JS/TS types are defined in splunk-js.service.ts. While Splunk UI in which the app's UI runs provides it's own Splunk SDK in splunkjs global variable, it's outdated and as a result have differences between various Splunk versions.
• Simplified GH Actions build - removing the "beta" build, we don't need it anymore.
• Ability to specify the index name by field - could address https://bitwarden.atlassian.net/browse/AC-2821
• Bitwarden EU support

📷 Screenshots

Note: Splunk CSS seems to override a lot of things, but maybe that's for better, since it's more Splunk native look.

No errors:

Save success:

Validation issues:

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 1959af96-0d8b-4cf4-bf8a-0591fa47950b

New Issues (14)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-52798	Npm-path-to-regexp-0.1.10	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW ID: lsaufpFhaIHEx6xlAAlTO2NnO3ewOIiIUbBqPX9bAno%3D Vulnerable Package
	CVE-2024-47764	Npm-cookie-0.4.2	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW ID: 6iJsDSfnkKFO%2BqRDcwpPqH%2Fe7ZLEdUAxyzUBfe35HX4%3D Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.3.7	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW ID: KVQv1ueXePSD2pQFQZ5HQjK1OqR4qdrwOpvaYh6ah5Y%3D Vulnerable Package
	CVE-2025-24010	Npm-vite-5.4.6	details Recommended version: 5.4.18 Description: Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response... Attack Vector: NETWORK Attack Complexity: LOW ID: qTz8X0%2BV%2Bf98meMs2WPD8ZXamgVMSqLtTRMP6JUrc2Y%3D Vulnerable Package
	CVE-2025-27789	Npm-@babel/helpers-7.26.0	details Recommended version: 7.26.10 Description: Babel is a compiler for writing next-generation JavaScript. In affected versions of Babel, to compile regular expressions named capturing groups, B... Attack Vector: LOCAL Attack Complexity: LOW ID: W4FQxYJUOmgpFShJ3R6nn0ca6hCe43A9bXeGgLy7kB8%3D Vulnerable Package
	CVE-2025-31125	Npm-vite-5.4.6	details Recommended version: 5.4.18 Description: Vite is a frontend tooling framework for javascript. Vite exposes the content of non-allowed files using `?inline&import` or `?raw?import`. Only ap... Attack Vector: NETWORK Attack Complexity: HIGH ID: oQQIBBx%2F9ydqNTl6TdkcIWQlWGUT%2FjQ2%2B9xOQwEez30%3D Vulnerable Package
	CVE-2025-31486	Npm-vite-5.4.6	details Recommended version: 5.4.18 Description: A vulnerability in Vite allows the contents of arbitrary files to be returned to the browser. By appending "?.svg" along with "?.wasm?init" or sett... Attack Vector: NETWORK Attack Complexity: HIGH ID: AnknP26gsIXnCYkfoQACh97sjRbitZ9b950ZadY0Jys%3D Vulnerable Package
	CVE-2025-32395	Npm-vite-5.4.6	details Recommended version: 5.4.18 Description: Vite is a frontend tooling framework for JavaScript. The contents of arbitrary files can be returned to the browser if the dev server is running on... Attack Vector: NETWORK Attack Complexity: LOW ID: kC%2FFcNH3rVL9zvaE%2BFV3KmFHZnAuS72mP9EXwbYbrvk%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-wasm-0.23.0	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: Dq5ZEQRwwHZK5XzpLVCZR5A3p5BIWa%2F8kbrt%2BrKRlaY%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.23.0	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: dv%2FhcUm9kV34OJCKrDwqQybnwQmKhg%2FqG9D5q5VlFH0%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.21.5	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: iuRZL8zjkAK9eK8MTLmST6qG6BlFCwT2kf4jXLTI3i4%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-4.3.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: Dc5Zwc50erIba30dDkvSqpm9bVmLRPNabqe4rhQLzII%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: zjFUHdqq2m%2FO%2BGqEXgMzo9rrMITr5QDGqV4Hjaw9qFY%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: ZvlCi8A4981bUlEHCGurTP87lyrhKRpZ80CaNMA6WLw%3D Vulnerable Package

[eliykat]

Great work! Some suggestions, some questions. We're still on Angular 16 in clients and we don't use the Angular CLI, so the differences with a brand new app are interesting (and somewhat unfamiliar to me).

[eliykat]

There's quite a bit of extra work here to recreate what is essentially a typed reactive form. We almost exclusively use reactive forms in our clients repository and it's much easier to manage medium-to-large forms.

If this used a reactive form, you could declare the form's structure and validators in app.component.ts, and then there'd be less boilerplate throughout the template to declare bindings on everything. Let me know if I can help with this.

[eliykat]

There is some strange responsive behaviour here on small screens:

Screen.Recording.2024-10-30.at.12.07.02.PM.mov

[eliykat]

Does the namespace distinguish between global Splunk configuration (e.g. indexes) and Bitwarden app configuration (e.g. client ID and secret)? That's what I get from the docs but I'm just confirming my own understanding. (maybe some jsdoc comments explaining that would also be useful)

[eliykat]

The different levels of abstraction between BitwardenSplunkService, SplunkService and SplunkJsServiceBuilder/SplunkJsProvider make sense, however the relationship between them isn't immediately clear. I suggest some jsdoc comments would really help, and could also explain the global SplunkJs variable which is also non-standard. e.g.

• SplunkJsProvider: returns the global Splunk SDK object from the splunk-sdk package, injected via angular.json
• SplunkJsServiceBuilder: instantiates a new Splunk service from the SDK using the provided namespace
• SplunkService: a Typescript wrapper around the Splunk service, maintaining a similar interface
• BitwardenSplunkService: a wrapper around SplunkService with a Bitwarden specific interface

[eliykat]

When running the app in development mode (npm run start), I get the following errors. It works fine when deployed though. I've set the properties in environment.development.ts. What am I missing?

[mzieniukbw]

When running the app in development mode (npm run start), I get the following errors. It works fine when deployed though. I've set the properties in environment.development.ts. What am I missing?

I have not documented it, but because splunk runs on different port than the development mode and CORS is enabled, splunk rejects any http calls when loading the bitwarden app configuration.
You need to add http://localhost:4200 into CORS policy and disable SSL. With docker, you can do that by creating a file like this one: https://github.com/bitwarden/splunk/blob/976a69b3b79c84292b1a514907d143d5228a5335/splunk_configuration.yml
and passing it to the splunk during first time startup:

splunk/docker-compose.yml

Line 14 in 976a69b

- ./splunk_configuration.yml:/tmp/defaults/default.yml

(version 9.1). If this is not first time setup, you have to stop the service and get rid of the volume, otherwise the CORS file settings won't be applied.

The http calls will still fail, since bitwarden event logs app is not installed in splunk. You can install it with: ./package.sh && ./deploy.sh splunk-splunk91-1

I was planning on adding this to the contributing docs if that works for you.

[eliykat]

The contributing docs sound like a good place to include this info. Thanks! Please re-request my review when your changes are ready 👍

[vgrassia]

Build workflow changes look good to me.

[eliykat]

@mzieniukbw This is (finally!) in our regular sprint work so I will be taking it over. I will preserve your commits (and co-authorship) but I will open my own PR once it is ready for review by the team. That should also drop you off the Github notifications so we don't bother you. Thanks again for your work here!