Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3029

Update S1166: do not raise issues on dynamic message logging

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.11
    • Component/s: Rules
    • Labels:
      None

      Description

      Logging exceptions is a tricky business. It is necessary to log as many information as possible to track potential attacks, but at the same time it can result in logging sensitive information in logs, which results in a vulnerability. See OWASP guidelines for more details.

      RSPEC-1166 should stop raising issues on dynamically created messages as it shows that the developer added some context to the error message.

      try {
        /* ... */
      } catch (Exception e) {
        String message = "Exception raised while authenticating user: " + e.getMessage();
        LOGGER.warn(message); // Compliant
      }
      

      However the rule should still raise an issue on the following code as the exception message is rarely enough to understand what happened exactly.

      try {
        /* ... */
      } catch (Exception e) {
        LOGGER.warn(e.getMessage()); // NonCompliant
      }
      

      And of course an issue should be raised on hardcoded messages as they don't give enough context:

      try {
        /* ... */
      } catch (Exception e) {
        LOGGER.warn("Something is broken"); // NonCompliant
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                christophe.zurn Christophe Zurn
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: