ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S1148/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

103 lines
3.5 KiB
Plaintext
Raw Blame History

== Why is this an issue?
``++Throwable.printStackTrace(...)++`` prints a ``++Throwable++`` and its stack trace to some stream. By default that stream ``++System.Err++``, which could inadvertently expose sensitive information.
Loggers should be used instead to print ``++Throwable++``s, as they have many advantages:
* Users are able to easily retrieve the logs.
* The format of log messages is uniform and allow users to browse the logs easily.
This rule raises an issue when ``++printStackTrace++`` is used without arguments, i.e. when the stack trace is printed to the default stream.
=== Noncompliant code example
[source,java]
----
try {
/* ... */
} catch(Exception e) {
e.printStackTrace(); // Noncompliant
}
----
=== Compliant solution
[source,java]
----
try {
/* ... */
} catch(Exception e) {
LOGGER.log("context", e);
}
----
== Resources
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Use a logger to log this exception.
=== Highlighting
``++printStackTrace()++``
'''
== Comments And Links
(visible only on this page)
=== is related to: S1166
=== on 26 Jul 2013, 13:07:44 Freddy Mallet wrote:
Is implemented by \http://jira.codehaus.org/browse/SONARJAVA-235
=== on 11 Feb 2015, 12:31:00 Sébastien Gioria wrote:
This rule is a OWASP A6 tag candidate
=== on 12 Feb 2015, 13:55:24 Ann Campbell wrote:
Thanks [~sebastien.gioria], but I'm going to pass on this.
=== on 10 Nov 2015, 11:05:50 Thomas Hofer wrote:
Hi! Pretty new around here, so I don't know if it's the best option to discuss some specifics of this rule. I'll welcome any criticism or redirection to another channel of communication!
I'm 100% onboard with flagging calls to ``++Throwable#printStackTrace()++``, without arguments. However, there are (IMHO) valid use cases for printing the stacktrace to a ``++PrintWriter++``, such as displaying relevant error messages in a UI (while still logging it to file / console). Obviously, this only makes sense in local apps and not in webapps at all.
One example of such usage is available on \http://code.makery.ch/blog/javafx-dialogs-official/#exception-dialog. I feel it would be overkill to use a specific Logger for that case.
This rule is flagged as CRITICAL in the default profile, which I find perfectly valid for the genuinely bad calls to ``++Throwable#printStackTrace()++``. However, I would like to be able to set a lower severity level for calls with a specific writer, which reflect a decision from the developper and are not included in the default templates for catch blocks :)
Would you consider splitting this rule in two (with / without args) to allow for different severity levels? Or do you consider this a cornercase, in which case I should add my own rules to override this one?
=== on 10 Nov 2015, 13:56:45 Ann Campbell wrote:
\[~\thomas.geek.hofer@gmail.com], please take this up on the https://groups.google.com/forum/#!forum/sonarqube[SonarQube Google Group]
=== on 10 Nov 2015, 14:06:01 Thomas Hofer wrote:
Thanks, will do!
=== on 20 Nov 2015, 14:02:23 Thomas Hofer wrote:
Done, https://groups.google.com/forum/#!topic/sonarqube/mCgzOFeUjZ4[here].
=== on 19 Mar 2018, 11:09:45 Sébastien GIORIA - AppSecFR wrote:
could be tageed : CWE-497 and OWASP A3:2017
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink