Sensitive information leak High

Sensitive information should not be exposed through log files or stack traces. Ensure that sensitive information is redacted and that logging is used only in debug mode with test data.

Detector ID
java/sensitive-information-leak@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void processResponseNoncompliant(Map<String, String> response) {
2    // Noncompliant: logs sensitive data without redaction resulting in a possible sensitive information leak.
3    final String name = response.get("Name");
4    String redacted = RedactionUtil.redact(name);
5    log.info(name);
6}

Compliant example

1public void processResponseCompliant(Map<String, String> response) {
2    final String name = response.get("Name");
3    String redacted = RedactionUtil.redact(name);
4    // Compliant: sensitive data is passed through redaction before logging, preventing possible sensitive information leak.
5    log.info(redacted);
6}