rspec/rules/S1148/java/rule.adoc

``++Throwable.printStackTrace(...)++`` prints a ``++Throwable++`` and its stack trace to some stream. By default that stream ``++System.Err++``, which could inadvertently expose sensitive information.


Loggers should be used instead to print ``++Throwable++``s, as they have many advantages:

* Users are able to easily retrieve the logs.
* The format of log messages is uniform and allow users to browse the logs easily.

This rule raises an issue when ``++printStackTrace++`` is used without arguments, i.e. when the stack trace is printed to the default stream.


== Noncompliant Code Example

----
try {
  /* ... */
} catch(Exception e) {
  e.printStackTrace();        // Noncompliant
}
----


== Compliant Solution

----
try {
  /* ... */
} catch(Exception e) {
  LOGGER.log("context", e);
}
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* http://cwe.mitre.org/data/definitions/489.html[MITRE, CWE-489] - Leftover Debug Code
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			``++Throwable.printStackTrace(...)++`` prints a ``++Throwable++`` and its stack trace to some stream. By default that stream ``++System.Err++``, which could inadvertently expose sensitive information.


			Loggers should be used instead to print ``++Throwable++``s, as they have many advantages:

			`* Users are able to easily retrieve the logs.`
			`* The format of log messages is uniform and allow users to browse the logs easily.`

			This rule raises an issue when ``++printStackTrace++`` is used without arguments, i.e. when the stack trace is printed to the default stream.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`try {`
			`/* ... */`
			`} catch(Exception e) {`
			`e.printStackTrace(); // Noncompliant`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

			`----`
			`try {`
			`/* ... */`
			`} catch(Exception e) {`
			`LOGGER.log("context", e);`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* http://cwe.mitre.org/data/definitions/489.html[MITRE, CWE-489] - Leftover Debug Code`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00