== Why is this an issue?

Using an unsanitized, externally-provided format string could lead to errors at runtime and open the door to attackers. This rule raises an issue when an externally-provided format string is used.


=== Noncompliant code example

[source,text]
----
public void formattedLog(String format, String message) {
  String logLine = String.format(format, message);  // Noncompliant
  LOGGER.info(logLine);
}
----