== Why is this an issue? ``++Throwable.printStackTrace(...)++`` prints a ``++Throwable++`` and its stack trace to some stream. By default that stream ``++System.Err++``, which could inadvertently expose sensitive information. Loggers should be used instead to print ``++Throwable++``s, as they have many advantages: * Users are able to easily retrieve the logs. * The format of log messages is uniform and allow users to browse the logs easily. This rule raises an issue when ``++printStackTrace++`` is used without arguments, i.e. when the stack trace is printed to the default stream. === Noncompliant code example [source,java] ---- try { /* ... */ } catch(Exception e) { e.printStackTrace(); // Noncompliant } ---- === Compliant solution [source,java] ---- try { /* ... */ } catch(Exception e) { LOGGER.log("context", e); } ---- == Resources * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Use a logger to log this exception. === Highlighting ``++printStackTrace()++`` ''' == Comments And Links (visible only on this page) === is related to: S1166 === on 26 Jul 2013, 13:07:44 Freddy Mallet wrote: Is implemented by \http://jira.codehaus.org/browse/SONARJAVA-235 === on 11 Feb 2015, 12:31:00 Sébastien Gioria wrote: This rule is a OWASP A6 tag candidate === on 12 Feb 2015, 13:55:24 Ann Campbell wrote: Thanks [~sebastien.gioria], but I'm going to pass on this. === on 10 Nov 2015, 11:05:50 Thomas Hofer wrote: Hi! Pretty new around here, so I don't know if it's the best option to discuss some specifics of this rule. I'll welcome any criticism or redirection to another channel of communication! I'm 100% onboard with flagging calls to ``++Throwable#printStackTrace()++``, without arguments. However, there are (IMHO) valid use cases for printing the stacktrace to a ``++PrintWriter++``, such as displaying relevant error messages in a UI (while still logging it to file / console). Obviously, this only makes sense in local apps and not in webapps at all. One example of such usage is available on \http://code.makery.ch/blog/javafx-dialogs-official/#exception-dialog. I feel it would be overkill to use a specific Logger for that case. This rule is flagged as CRITICAL in the default profile, which I find perfectly valid for the genuinely bad calls to ``++Throwable#printStackTrace()++``. However, I would like to be able to set a lower severity level for calls with a specific writer, which reflect a decision from the developper and are not included in the default templates for catch blocks :) Would you consider splitting this rule in two (with / without args) to allow for different severity levels? Or do you consider this a cornercase, in which case I should add my own rules to override this one? === on 10 Nov 2015, 13:56:45 Ann Campbell wrote: \[~\thomas.geek.hofer@gmail.com], please take this up on the https://groups.google.com/forum/#!forum/sonarqube[SonarQube Google Group] === on 10 Nov 2015, 14:06:01 Thomas Hofer wrote: Thanks, will do! === on 20 Nov 2015, 14:02:23 Thomas Hofer wrote: Done, https://groups.google.com/forum/#!topic/sonarqube/mCgzOFeUjZ4[here]. === on 19 Mar 2018, 11:09:45 Sébastien GIORIA - AppSecFR wrote: could be tageed : CWE-497 and OWASP A3:2017 endif::env-github,rspecator-view[]