Veracode - CWE-117: Improper Output Neutralization for Logs

[vsfeedback]

I was asked to verify the code I wrote with Veracode. Veracode reports a problem with the Logs "CWE117: Improper Output Neutralization for Logs" but even commenting on all the logs the problem remains. The module indicated by veracode is "microsoft.extensions.logging.abstractions.dll" which is present in the Azure Function v1 SDK.

How can I fix the problem?

Best regards,

Antonino Bambara

This issue has been moved from https://developercommunity.visualstudio.com/content/problem/668379/veracode-cwe-117-improper-output-neutralization-fo.html
VSTS ticketId: 957394
These are the original issue comments:

Visual Studio Feedback System on 7/31/2019, 02:18 AM (31 hours ago):

We have directed your feedback to the appropriate engineering team for further evaluation. The team will review the feedback and notify you about the next steps.

Visual Studio Feedback System on 8/1/2019, 00:32 AM (8 hours ago):

This issue is currently being investigated. Our team will get back to you if either more information is needed, a workaround is available, or the issue is resolved.

These are the original issue solutions:
(no solutions)

[blowdart]

Can we see the code you wrote that it's tripping up on?

[blowdart]

(If you feel it's not code you want to share publicly you can email me instead, barry.dorrans@microsoft.com)

[blowdart]

Oh and details on which Vericode software and versions would also be helpful

[abambara]

Oh and details on which Vericode software and versions would also be helpful

I'm using Veracode 3.8.0.0 a Visual Studio 2017 Community extension.

Best regards,
Antonino Bambara

[abambara]

Can we see the code you wrote that it's tripping up on?

I wrote a simple Azure Function V1 (ASP .NET 4.6) that reads events from a service bus and execute operations.

For logging I used "ILogger" but veracode signaled the problem in question when I wrote:

log.LogInformation("[IoTReplyRuleEngine] RuleEngineEventTrigger - Found the scenario that matches the event: {0} - ({1})", scenario.name, scenario.idScenario);

I changed the logger and I used "TraceWiter" in this way veracode did not highlight any problems on the logs I wrote but it shows however that the code is affected from problem "CWE-117: Improper Output Neutralization for Logs" without indicating in which part of the code the problem is present.

I commented all the logs in all the code however Veracode reports that the code presents the problem.
So if the "microsoft.extensions.logging.abstractions.dll" library is present and is not used however Veracode reports a problem. But this library is present in "Microsoft.NET.Sdk.Functions (1.0.29)" so I can't remove it.

Best regards,
Antonino Bambara

[analogrelay]

Veracode has some more details on this in their forums: https://community.veracode.com/s/question/0D52T00004sTKg1SAG/how-to-fix-cwe-117-improper-output-neutralization-for-logs-in-net-core-22-solution

This doesn't appear to be a problem in Logging that we can take action on. The Veracode issue is indicating that their scanner doesn't know if you are properly sanitizing the log message to not include CRLF characters, which is accurate. The built-in loggers don't strip CRLF characters (nor does the infrastructure) from log messages, so it's up to you to sanitize the input, or use a logger sink that does (such as JSON-based one, which would force them to be encoded).

Either way, Veracode doesn't know how your logging infrastructure is set up, so you'll likely need to analyze your usage carefully here and suppress the warning.