Insufficient Logging (CWE-778) - Security Vulnerability

Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

Rozpowszechnienie

Wysoka

Często wykorzystywana

Wplyw

Średni

Zalecany przegląd

Zapobieganie

Udokumentowane

3 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla Insufficient Logging oparte na 3 regułach detekcji Shoulder.

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

Avoid console.log when logging library exists low

Replace console.log with a structured logging library like winston or pino

+1 -1 javascript

- console.log('User logged in', userId);
+ logger.info('User logged in', { userId });

🐍 Python Zobacz wszystko Python szczegóły →

Avoid print() when logging module exists low

Replace print() with the logging module for structured, level-aware output

+8 -4 python

- def process_request(data):
-     print(f"Processing request: {data}")
-     result = handle(data)
-     print(f"Result: {result}")
+ import logging
+ 
+ logger = logging.getLogger(__name__)
+ 
+ def process_request(data):
+     logger.info("Processing request: %s", data)
+     result = handle(data)
+     logger.debug("Result: %s", result)
      return result

Insufficient Security Event Logging MEDIUM

Log authentication attempts, failures, and admin actions with user/IP context

+15 -9 python

- from flask import request
- from flask_login import login_user
- 
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
-         login_user(user)
-         return redirect('/dashboard')
+ import logging
+ from flask import request
+ from flask_login import login_user
+ 
+ logger = logging.getLogger('security')
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form['username']
+     user = User.query.filter_by(username=username).first()
+     if user and check_password(user.password, request.form['password']):
+         login_user(user)
+         logger.info(f"Login success: {username} from {request.remote_addr}")
+         return redirect('/dashboard')
+     logger.warning(f"Login failed: {username} from {request.remote_addr}")
      return 'Invalid credentials', 401

Kluczowe praktyki

reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Insufficient Logging. 3 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=778

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (3)

🐍 Python 2 rules

Avoid print() when logging module exists low

Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n

Insufficient Security Event Logging MEDIUM

Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut

🟨 Javascript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

🔷 Typescript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Insufficient Logging. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟡

Security-critical operation lacks audit logging python-insufficient-logging

🟡

security-critical operations (authentication, authorization failures, admin actions) without proper python-insufficient-logging

console javascript-avoid-console-log

print() calls when the logging module is used in the codebase python-avoid-print-logging

🔍

Przeskanuj swój kod w poszukiwaniu Insufficient Logging

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły