Leakage of information in logger message

• Rule ID: java_lang_logger_leak
• Languages: java
• Source: logger_leak.yml

Description

Information leakage through logger messages can compromise sensitive data. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

Remediations

• Do not include variables or dynamic data containing sensitive information in logger messages. This can inadvertently expose sensitive data in logs, which are often not adequately protected.

  logger.info("user signed in: " + user.uuid) // unsafe

• Do log static messages that do not contain dynamic variables or attributes. This minimizes the risk of accidentally logging sensitive information.

  logger.info("user signed in")

References

• OWASP Logging Cheat Sheet

Associated CWE

• CWE-532: Insertion of Sensitive Information into Log File

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_logger_leak

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_logger_leak