CS.EXCEPT.NO_LOG
Ensure all exceptions are either logged with a standard logger or rethrown.
This rule identifies code that does not log caught exceptions with a standard logger or rethrow caught exceptions.
Mitigation and prevention
Using a logging mechanism to keep track of caught exceptions can provide a clearer and more secure overview of the possible security vulnerabilities, and this information could help you implement a prompt and accurate fix.
Enforcing this rule will help to protect against the OWASP 2007 Top 10 application vulnerability "A6 - Information Leakage and Improper Error Handling".
Vulnerable code example
1 public class Example
2 {
3 public void readFile(String fileName)
4 {
5 try
6 {
7 FileInfo fi = new FileInfo(fileName);
8 FileStream fs = fi.OpenRead();
9 fs.Close();
10 }
11 catch (IOException e)
12 {
13 Console.WriteLine("Exception found");
14 }
15 }
16 }
Violation is reported on line 11.
Fixed code example
1 public class Example
2 {
3 public void readFile(String fileName)
4 {
5 try
6 {
7 FileInfo fi = new FileInfo(fileName);
8 FileStream fs = fi.OpenRead();
9 fs.Close();
10 }
11 catch (IOException e) // FIX
12 {
13 (new Logger()).Error("Failed to read file. " + e.Message);
14 }
15 }
16 public class Logger
17 {
18 public void Error(string errorDetails)
19 {
20 /* Logging the error */
21 }
22 }
23 }