Insufficient Logging (CWE-778) - Security Vulnerability

Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

보급률

높음

자주 악용됨

영향

보통

검토 권장

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 Insufficient Logging 예방 전략.

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Avoid console.log when logging library exists low

Replace console.log with a structured logging library like winston or pino

+1 -1 javascript

- console.log('User logged in', userId);
+ logger.info('User logged in', { userId });

🐍 Python 모두 보기 Python 자세히 →

Avoid print() when logging module exists low

Replace print() with the logging module for structured, level-aware output

+8 -4 python

- def process_request(data):
-     print(f"Processing request: {data}")
-     result = handle(data)
-     print(f"Result: {result}")
+ import logging
+ 
+ logger = logging.getLogger(__name__)
+ 
+ def process_request(data):
+     logger.info("Processing request: %s", data)
+     result = handle(data)
+     logger.debug("Result: %s", result)
      return result

Insufficient Security Event Logging MEDIUM

Log authentication attempts, failures, and admin actions with user/IP context

+15 -9 python

- from flask import request
- from flask_login import login_user
- 
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
-         login_user(user)
-         return redirect('/dashboard')
+ import logging
+ from flask import request
+ from flask_login import login_user
+ 
+ logger = logging.getLogger('security')
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form['username']
+     user = User.query.filter_by(username=username).first()
+     if user and check_password(user.password, request.form['password']):
+         login_user(user)
+         logger.info(f"Login success: {username} from {request.remote_addr}")
+         return redirect('/dashboard')
+     logger.warning(f"Login failed: {username} from {request.remote_addr}")
      return 'Invalid credentials', 401

핵심 실천 사항

reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Insufficient Logging 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=778

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐍 Python 2 rules

Avoid print() when logging module exists low

Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

Insufficient Security Event Logging MEDIUM

Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut

🟨 Javascript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

🔷 Typescript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Insufficient Logging 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟡

Security-critical operation lacks audit logging python-insufficient-logging

🟡

security-critical operations (authentication, authorization failures, admin actions) without proper python-insufficient-logging

console javascript-avoid-console-log

print() calls when the logging module is used in the codebase python-avoid-print-logging

🔍

코드베이스를 스캔하세요: Insufficient Logging

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기