I am getting the following issue for my code on Sonar:
Make sure that this logger's configuration is safe.
The code that I have written is:
public static final Logger logger = Logger.getLogger("logger");
if (logLevel.equalsIgnoreCase("info"))
logger.setLevel(Level.INFO);
else
logger.setLevel(Level.ALL);
It is showing me this error on logger.setLevel calls.
How can I solve these?
According to SonarQube rules, This rule flags for review code that initiates loggers configuration.
The goal is to guide security code reviews. Also, there is no way to fix it by code instead you should ask yourself whether:
- unauthorized users might have access to the logs, either because they are stored in an insecure location or because the application gives access to them.
- the logs contain sensitive information on a production server. This can happen when the logger is in debug mode.
- the log can grow without limit. This can happen when additional information is written into logs every time a user performs an action and the user can perform the action as many times as he/she wants.
- the logs do not contain enough information to understand the damage an attacker might have inflicted. The loggers mode (info, warn, error) might filter out important information. They might not print contextual information like the precise time of events or the server hostname.
- the logs are only stored locally instead of being backuped or replicated.
You are at risk if you answered yes to any of those questions.
For more info about security logging project, check the owasp page
