Log forging in checkmarx scan in java

Question

Log forging in checkmarx scan in Java

How to resolve log forging for Java in a checkmarx scan. I tried sanitizing input before putting in the log file. But, it still complains validate or sanitize the input before logging. Please help me to resolve this issue.

Does this answer your question? [Checkmarx Java fix for Log Forging -sanitizing user input](https://stackoverflow.com/questions/55364577/checkmarx-java-fix-for-log-forging-sanitizing-user-input) — baruchiro, May 08 '20 at 06:55
I used data sanitize method before logging anything and converted the harmful strings then made the bug as not exploitable in checkmarx there by security team unflagged the issue. — gautham, Oct 15 '20 at 19:40

score 1 · Accepted Answer · answered May 23 '22 at 13:55

1

I used data sanitize method before logging anything and converted the harmful strings then made the bug as not exploitable in checkmarx there by security team unflagged the issue. Checkmarx don't intelligently validate the method, security team made the issue not exploitable.

answered May 23 '22 at 13:55

gautham

87
2
12

I too did the change as mentioned in the links. But, I had to explicitly mark it as 'Not Exploitable' – KnockingHeads May 31 '23 at 05:35

Log forging in checkmarx scan in java

1 Answers1