CS.EXCEPT.NO_LOG
Ensure all exceptions are either logged with a standard logger or rethrown.
This rule identifies code that does not log caught exceptions with a standard logger or rethrow caught exceptions.
Mitigation and prevention
Using a logging mechanism to keep track of caught exceptions can provide a clearer and more secure overview of the possible security vulnerabilities, and this information could help you implement a prompt and accurate fix.
Enforcing this rule will help to protect against the OWASP 2007 Top 10 application vulnerability "A6 - Information Leakage and Improper Error Handling".
Vulnerable code example
1 public class Example 2 { 3 public void readFile(String fileName) 4 { 5 try 6 { 7 FileInfo fi = new FileInfo(fileName); 8 FileStream fs = fi.OpenRead(); 9 fs.Close(); 10 } 11 catch (IOException e) 12 { 13 Console.WriteLine("Exception found"); 14 } 15 } 16 }
Violation is reported on line 11.
Fixed code example
1 public class Example 2 { 3 public void readFile(String fileName) 4 { 5 try 6 { 7 FileInfo fi = new FileInfo(fileName); 8 FileStream fs = fi.OpenRead(); 9 fs.Close(); 10 } 11 catch (IOException e) // FIX 12 { 13 (new Logger()).Error("Failed to read file. " + e.Message); 14 } 15 } 16 public class Logger 17 { 18 public void Error(string errorDetails) 19 { 20 /* Logging the error */ 21 } 22 } 23 }