cwe-532-sensitive-info-in-logs

star 1

Use this skill when you need to remediate CWE-532 (Sensitive Information in Logs) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing sensitive information in logs issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-532-sensitive-info-in-logs description: Use this skill when you need to remediate CWE-532 (Sensitive Information in Logs) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing sensitive information in logs issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-532
  • remediation
  • sast

CWE-532 Sensitive Information in Logs

Description

Sensitive Information in Logs

Reference: https://cwe.mitre.org/data/definitions/532.html

OWASP Category: A09:2021 – Security Logging and Monitoring Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Password in log
log.debug("Login attempt: user={}, password={}", username, password);

// VULNERABLE: Token logged
log.info("API call with token: {}", authToken);

Why it's vulnerable: This pattern is vulnerable to Sensitive Information in Logs

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Never log sensitive data
log.debug("Login attempt: user={}", username);

// SECURE: Mask tokens
log.info("API call with token: {}***",
    authToken.substring(0, Math.min(4, authToken.length())));

// Better: Use marker for sensitive fields
@Slf4j
public class SecureLogger {
    public static void logSanitized(String msg, Object... args) {
        Object[] sanitized = Arrays.stream(args)
            .map(SecureLogger::sanitize)
            .toArray();
        log.info(msg, sanitized);
    }
}

Why it's secure: Implements proper protection against Sensitive Information in Logs

Detection Pattern

Look for these patterns in your codebase:

# Find sensitive data in logs
grep -rn "log.*password\\|log.*token\\|log.*secret" --include="*.java"

Remediation Steps

  1. Never log passwords, tokens, or keys

  2. Use sanitization wrappers for logging

  3. Implement log filtering for sensitive patterns

  4. Review log output regularly

Key Imports


import org.slf4j.Logger;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-532 vulnerability
Resolve Sensitive Information in Logs issue
Secure this Java code against sensitive information in logs
SAST reports CWE-532

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-532-sensitive-info-in-logs
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →