/
structured-logging.yaml
49 lines (49 loc) · 1.59 KB
/
structured-logging.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
rules:
- id: structured-logging
patterns:
- pattern-either:
# Serilog
- pattern: $LOG.Debug($"...")
- pattern: $LOG.Error($"...")
- pattern: $LOG.Fatal($"...")
- pattern: $LOG.Information($"...")
- pattern: $LOG.Verbose($"...")
- pattern: $LOG.Warning($"...")
- pattern: $LOG.LogCritical($"...")
- pattern: $LOG.LogDebug($"...")
- pattern: $LOG.LogError($"...")
- pattern: $LOG.LogInformation($"...")
- pattern: $LOG.LogTrace($"...")
- pattern: $LOG.LogWarning($"...")
- pattern: $LOG.Info($"...")
- pattern: $LOG.Trace($"...")
- pattern: $LOG.Warn($"...")
- metavariable-regex:
metavariable: $LOG
regex: .*(log|LOG|Log)
message: >-
String interpolation in log message obscures the distinction between
variables and the log message. Use structured logging instead, where the
variables are passed as additional arguments and the interpolation is performed
by the logging library. This reduces the possibility of log injection and makes
it easier to search through logs.
languages: [csharp]
severity: INFO
metadata:
cwe:
- 'CWE-117: Improper Output Neutralization for Logs'
owasp:
- A09:2021 - Security Logging and Monitoring Failures
technology:
- .net
- serilog
- nlog
confidence: LOW
references:
- https://github.com/NLog/NLog/wiki/How-to-use-structured-logging
- https://softwareengineering.stackexchange.com/questions/312197/benefits-of-structured-logging-vs-basic-logging
category: best-practice
subcategory:
- audit
likelihood: LOW
impact: LOW