Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.
普遍性
高
频繁被利用
影响
中
建议审查
预防
已记录
3 个修复示例
2 预防
2 预防
如何修复此漏洞
基于 3 条 Shoulder 检测规则的 Insufficient Logging 预防策略。
JavaScript
查看全部 JavaScript 详情 →
Avoid console.log when logging library exists
low
Replace console.log with a structured logging library like winston or pino
- console.log('User logged in', userId); + logger.info('User logged in', { userId });
Python
查看全部 Python 详情 →
Avoid print() when logging module exists
low
Replace print() with the logging module for structured, level-aware output
- def process_request(data): - print(f"Processing request: {data}") - result = handle(data) - print(f"Result: {result}") + import logging + + logger = logging.getLogger(__name__) + + def process_request(data): + logger.info("Processing request: %s", data) + result = handle(data) + logger.debug("Result: %s", result) return result
Insufficient Security Event Logging
MEDIUM
Log authentication attempts, failures, and admin actions with user/IP context
- from flask import request - from flask_login import login_user - - @app.route('/login', methods=['POST']) - def login(): - user = User.query.filter_by(username=request.form['username']).first() - if user and check_password(user.password, request.form['password']): - login_user(user) - return redirect('/dashboard') + import logging + from flask import request + from flask_login import login_user + + logger = logging.getLogger('security') + + @app.route('/login', methods=['POST']) + def login(): + username = request.form['username'] + user = User.query.filter_by(username=username).first() + if user and check_password(user.password, request.form['password']): + login_user(user) + logger.info(f"Login success: {username} from {request.remote_addr}") + return redirect('/dashboard') + logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401
关键实践
- reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Insufficient Logging模式。 3 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=778 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (3)
🐍
Python
2 rules
Avoid print() when logging module exists
low
Detects print() calls when the logging module is used in the codebase.
CAPABILITY-GATED: This rule only fires when Python's logging module or a
logging library (loguru, structlog) is detected. If the project only uses
print(), that's an architectural choice - not a violation.
When logging infrastructure exists, print() calls are outliers that should be reviewed:
- They bypass structured logging
- They don't respect log levels
- They can't be easily filtered in production
- They go to stdout, n
Insufficient Security Event Logging
MEDIUM
Detects security-critical operations (authentication, authorization failures,
admin actions) without proper logging. Insufficient logging prevents detection
of attacks and hinders incident response.
This rule only triggers on files containing security-critical patterns like:
- Authentication (login, logout, authenticate, check_password)
- Authorization decorators (@login_required, @permission_required)
- Privilege checks (is_staff, is_superuser, is_admin, has_perm)
- Session management with aut
🟨
Javascript
1 rules
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Insufficient Logging漏洞。在代码审查和安全审计中注意查找。
Security-critical operation lacks audit logging
python-insufficient-logging
security-critical operations (authentication, authorization failures,
admin actions) without proper
python-insufficient-logging
console
javascript-avoid-console-log
print() calls when the logging module is used in the codebase
python-avoid-print-logging