From 52a0ee1b4188d047181eac444d3e768d78d0bbe3 Mon Sep 17 00:00:00 2001
From: Marco Kaufmann <83189575+kaufco@users.noreply.github.com>
Date: Fri, 18 Aug 2023 16:39:19 +0200
Subject: [PATCH] Modify rule S106: reworked rule description for LaYC format,
 SONARJAVA-4570 (#2907)

---
 rules/S106/java/rule.adoc | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/rules/S106/java/rule.adoc b/rules/S106/java/rule.adoc
index 0910798fd0..489032c2a3 100644
--- a/rules/S106/java/rule.adoc
+++ b/rules/S106/java/rule.adoc
@@ -1,23 +1,46 @@
 == Why is this an issue?
 
-include::../description.adoc[]
+When logging a message, the following requirements should be fulfilled:
+
+* The user can easily record logged data and retrieve the logs.
+* The format of all logged messages is uniform and provides context about the message creator. This improves the readability of the logs.
+* Sensitive data is logged securely.
+
+Simply printing messages to `System.out` or `System.err` does not fulfill these needs.
+A dedicated logger should be used instead.
 
 === Noncompliant code example
 
-[source,java]
+[source,java,diff-id=1,diff-type=noncompliant]
 ----
-System.out.println("My Message");  // Noncompliant
+class PrintMessage {
+  public void print() {
+    System.out.println("My Message");  // Noncompliant, output directly to System.out without a logger
+  }
+}
 ----
 
 === Compliant solution
 
-[source,java]
+[source,java,diff-id=1,diff-type=compliant]
 ----
-logger.log("My Message");
+import java.util.logging.Logger;
+
+class PrintMessage {
+
+  Logger logger = Logger.getLogger(getClass().getName());
+
+  public void print() {
+    logger.info("My Message");  // Compliant, output via logger
+  }
+}
 ----
 
 == Resources
 
+=== Documentation
+
+* https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html[Java SE 7 API Specification: java.util.logging.Logger]
 * https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/[OWASP Top 10 2021 Category A9] - Security Logging and Monitoring Failures
 * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
 * https://wiki.sei.cmu.edu/confluence/x/nzdGBQ[CERT, ERR02-J.] - Prevent exceptions while logging data