Insufficient Logging (CWE-778) - Security Vulnerability

Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

Verbreitung

Hoch

Häufig ausgenutzt

Auswirkung

Mittel

Review empfohlen

Prävention

Dokumentiert

3 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Insufficient Logging basierend auf 3 Shoulder-Erkennungsregeln.

🟨 JavaScript Alle anzeigen JavaScript Details →

Avoid console.log when logging library exists low

Replace console.log with a structured logging library like winston or pino

+1 -1 javascript

- console.log('User logged in', userId);
+ logger.info('User logged in', { userId });

🐍 Python Alle anzeigen Python Details →

Avoid print() when logging module exists low

Replace print() with the logging module for structured, level-aware output

+8 -4 python

- def process_request(data):
-     print(f"Processing request: {data}")
-     result = handle(data)
-     print(f"Result: {result}")
+ import logging
+ 
+ logger = logging.getLogger(__name__)
+ 
+ def process_request(data):
+     logger.info("Processing request: %s", data)
+     result = handle(data)
+     logger.debug("Result: %s", result)
      return result

Insufficient Security Event Logging MEDIUM

Log authentication attempts, failures, and admin actions with user/IP context

+15 -9 python

- from flask import request
- from flask_login import login_user
- 
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
-         login_user(user)
-         return redirect('/dashboard')
+ import logging
+ from flask import request
+ from flask_login import login_user
+ 
+ logger = logging.getLogger('security')
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form['username']
+     user = User.query.filter_by(username=username).first()
+     if user and check_password(user.password, request.form['password']):
+         login_user(user)
+         logger.info(f"Login success: {username} from {request.remote_addr}")
+         return redirect('/dashboard')
+     logger.warning(f"Login failed: {username} from {request.remote_addr}")
      return 'Invalid credentials', 401

Wichtige Praktiken

reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Insufficient Logging-Mustern zu scannen. 3 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=778

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

🐍 Python 2 rules

Avoid print() when logging module exists low

Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

Insufficient Security Event Logging MEDIUM

Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut

🟨 Javascript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

🔷 Typescript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Insufficient Logging-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟡

Security-critical operation lacks audit logging python-insufficient-logging

🟡

security-critical operations (authentication, authorization failures, admin actions) without proper python-insufficient-logging

console javascript-avoid-console-log

print() calls when the logging module is used in the codebase python-avoid-print-logging

🔍

Scanne deine Codebasis nach Insufficient Logging

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen