2023-05-03 11:06:20 +02:00
|
|
|
== Why is this an issue?
|
|
|
|
|
|
2023-08-18 16:39:19 +02:00
|
|
|
When logging a message, the following requirements should be fulfilled:
|
|
|
|
|
|
|
|
|
|
* The user can easily record logged data and retrieve the logs.
|
|
|
|
|
* The format of all logged messages is uniform and provides context about the message creator. This improves the readability of the logs.
|
|
|
|
|
* Sensitive data is logged securely.
|
|
|
|
|
|
|
|
|
|
Simply printing messages to `System.out` or `System.err` does not fulfill these needs.
|
|
|
|
|
A dedicated logger should be used instead.
|
2020-06-30 10:16:44 +02:00
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Noncompliant code example
|
2020-06-30 10:16:44 +02:00
|
|
|
|
2023-08-18 16:39:19 +02:00
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
2020-06-30 10:16:44 +02:00
|
|
|
----
|
2023-08-18 16:39:19 +02:00
|
|
|
class PrintMessage {
|
|
|
|
|
public void print() {
|
|
|
|
|
System.out.println("My Message"); // Noncompliant, output directly to System.out without a logger
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-30 10:16:44 +02:00
|
|
|
----
|
|
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
=== Compliant solution
|
2020-06-30 10:16:44 +02:00
|
|
|
|
2023-08-18 16:39:19 +02:00
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
2020-06-30 10:16:44 +02:00
|
|
|
----
|
2023-08-18 16:39:19 +02:00
|
|
|
import java.util.logging.Logger;
|
|
|
|
|
|
|
|
|
|
class PrintMessage {
|
|
|
|
|
|
|
|
|
|
Logger logger = Logger.getLogger(getClass().getName());
|
|
|
|
|
|
|
|
|
|
public void print() {
|
|
|
|
|
logger.info("My Message"); // Compliant, output via logger
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-30 10:16:44 +02:00
|
|
|
----
|
|
|
|
|
|
2023-05-03 11:06:20 +02:00
|
|
|
== Resources
|
2021-09-21 15:40:35 +02:00
|
|
|
|
2023-08-18 16:39:19 +02:00
|
|
|
=== Documentation
|
|
|
|
|
|
|
|
|
|
* https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html[Java SE 7 API Specification: java.util.logging.Logger]
|
2021-11-01 15:00:32 +01:00
|
|
|
* https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures
|
2022-07-08 13:58:56 +02:00
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
2021-09-21 15:40:35 +02:00
|
|
|
* https://wiki.sei.cmu.edu/confluence/x/nzdGBQ[CERT, ERR02-J.] - Prevent exceptions while logging data
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2023-06-22 10:38:01 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
