i got some suggestions from checkmarx regarding
Filtering Sensitive Logs
.... 54. encrypted_password = encryption.encrypt(pub_key, password) .... 66. LOGGER.info("Username: %s, Password: %s", user, encrypted_password)
I got other similar issues too
.... 210. _, token = get_secret(ROOT_TOKEN) .... 133. LOGGER.debug("GET request status code: %s", resp.getcode())
Here, checkmarx is complaining about
and the fact that I am logging this. Also, i am not directly logging the
token is a part of
resp object which is then logged(that too not the whole object)
so, I wanted to understand the cause and the best way to fix this.
what I think is that checkmarx looks for words like
secret/ passwords/password etc and then figures out if these are being logged somewhere.
in the second example too, I think it sees that these is a function with
secret in its name so that function must return some sensitive info (which is then stored to a variable and logged) so that is why it is again complaining.
Is that correct?
i tried to look online but didn’t find much about this here