From bb04208885d5246916b9f50f6af7a8f4f12d58bc Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Mon, 9 Mar 2026 14:13:59 +0000 Subject: [PATCH 1/7] pyscg 06_logging, updated titles as part of #1017 Signed-off-by: Helge Wehder --- .../01_introduction/pyscg-0041/README.md | 2 +- .../04_neutralization/pyscg-0009/README.md | 5 +++++ .../04_neutralization/pyscg-0012/README.md | 2 +- .../06_logging/pyscg-0019/README.md | 4 ++-- .../06_logging/pyscg-0020/README.md | 4 ++-- .../06_logging/pyscg-0021/README.md | 2 +- .../06_logging/pyscg-0022/README.md | 2 +- .../06_logging/pyscg-0050/README.md | 2 +- docs/Secure-Coding-Guide-for-Python/readme.md | 10 +++++----- 9 files changed, 19 insertions(+), 14 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md b/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md index 6af33464..cc7a430e 100644 --- a/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md +++ b/docs/Secure-Coding-Guide-for-Python/01_introduction/pyscg-0041/README.md @@ -157,7 +157,7 @@ if __name__ == "__main__": unittest.main() ``` -The `compliant01.py` code avoids using password based authentication in the first place. It prints connection information only for convenience here and should not be considered in a real world implementation as per [pyscg-0019: Insertion of Sensitive Information into Log File](../../06_logging/pyscg-0019/README.md) \[OSSF 2025\]. +The `compliant01.py` code avoids using password based authentication in the first place. It prints connection information only for convenience here and should not be considered in a real world implementation as per [pyscg-0019: Exclude Sensitive Data From Logs](../../06_logging/pyscg-0019/README.md) \[OSSF 2025\]. ## Automated Detection diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md index 86340491..dde5c2af 100644 --- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md +++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md @@ -30,8 +30,13 @@ Following table 00 provides a limited list of Unix shell commands to Python modu Any variation of using input from a lesser trusted source as part of a command line program has a very high probability of resulting in a potential attack including the use of specialized modules. Consider: * *[pyscg-0047: Incomplete List of Disallowed Input](../../04_neutralization/pyscg-0047/README.md)* +<<<<<<< HEAD * *[pyscg-0050: Generation of Error Message Containing Sensitive Information](../../06_logging/pyscg-0050/README.md)* * *[pyscg-0040: Trust Boundary Violation](../../01_introduction/pyscg-0040/README.md)* +======= +* *[pyscg-0050: Sanitize Error Output to Prevent Information Disclosure](../../06_logging/pyscg-0050/README.md)* +* *[pyscg-0040: Use Process Isolation for Trust Zones](../../01_introduction/pyscg-0040/README.md)* +>>>>>>> 0dc93b4 (pyscg 06_logging, updated titles as part of #1017) ## Non-Compliant Code Example (Read Only) diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md index d25b04fa..4211004e 100644 --- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md +++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0012/README.md @@ -325,7 +325,7 @@ The `compliant01.py` code will extract everything below the provided `base_path` Secure Coding in Python - Base: pyscg-0050: Generation of Error Message Containing Sensitive Information + Base: pyscg-0050: Sanitize Error Output to Prevent Information Disclosure [SEI CERT Oracle Coding Standard for Java] diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md index 9eb312a7..58e31421 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0019/README.md @@ -1,6 +1,6 @@ -# pyscg-0019: Insertion of Sensitive Information into Log File +# pyscg-0019: Exclude Sensitive Data From Logs -Do not log any sensitive information such as passwords or credit card numbers. Encrypt or anonymize personal information such as user names, and date of birth in plain text. +Do not log any sensitive information such as passwords or credit card numbers. Encrypt or anonymize personal information such as user names and date of birth. Logging is crucial for tasks like debugging, forensic analysis, and the general management of various incidents, however, it poses significant challenges when it comes to personal information and sensitive information. diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md index c11460e9..c7760ff8 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0020/README.md @@ -1,6 +1,6 @@ -# pyscg-0020: Insufficient Logging +# pyscg-0020: Implement Informative Event Logging -Ensure you have sufficient logging in order to adequately record important events within an application and/or system. +Log security events such as authentication attempts, authorization failures, and data access to support incident response. Without comprehensive and sufficient logging, it becomes challenging to identify and respond to security incidents, leading to delayed and/or inefficient incident response efforts. diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md index 71aaa07a..b21c2564 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md @@ -1,4 +1,4 @@ -# pyscg-0021: Active Debug Code +# pyscg-0021: Exclude Developer Tools From the Final Product Keep design tooling in separate packages from the actual product and supply useful logging. diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md index c7526034..2dcd11b1 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0022/README.md @@ -1,4 +1,4 @@ -# pyscg-0022: Improper Output Neutralization for Logs +# pyscg-0022: Neutralize Untrusted Data in Logs Ensure all untrusted data is properly neutralized or sanitized before writing to application logs. diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md index 7c454ab2..63ceb30d 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md @@ -1,4 +1,4 @@ -# pyscg-0050: Generation of Error Message Containing Sensitive Information +# pyscg-0050: Sanitize Error Output to Prevent Information Disclosure Prevent an attacker from discovering internal or sensitive system information by filtering, splitting and applying brute force prevention tactics when displaying error messages to a user. This rule is closely related to [pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md). diff --git a/docs/Secure-Coding-Guide-for-Python/readme.md b/docs/Secure-Coding-Guide-for-Python/readme.md index fb9210df..f136a146 100644 --- a/docs/Secure-Coding-Guide-for-Python/readme.md +++ b/docs/Secure-Coding-Guide-for-Python/readme.md @@ -251,31 +251,31 @@ It is __not production code__ and requires code-style or python best practices t -pyscg-0019: Insertion of Sensitive Information into Log File +pyscg-0019: Exclude Sensitive Data From Logs CVE-2023-45585,
CVSSv3.1: 9.8,
EPSS: 0.04 (01.11.2024) CWE-532 -pyscg-0020: Insufficient Logging +pyscg-0020: Implement Informative Event Logging CWE-778 -pyscg-0021: Active Debug Code +pyscg-0021: Exclude Developer Tools From the Final Product CVE-2018-14649,
CVSSv3.1: 9.8,
EPSS: 69.64 (12.12.2023) CWE-489 -pyscg-0022: Improper Output Neutralization for Logs +pyscg-0022: Neutralize Untrusted Data in Logs CWE-117 -pyscg-0050: Generation of Error Message Containing Sensitive Information +pyscg-0050: Sanitize Error Output to Prevent Information Disclosure CWE-209 From 0f780e93c01733a362831ba422facf639207ac2b Mon Sep 17 00:00:00 2001 From: myteron Date: Mon, 9 Mar 2026 15:49:55 +0000 Subject: [PATCH 2/7] Update README.md fixed linting Signed-off-by: myteron --- .../04_neutralization/pyscg-0009/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md index dde5c2af..934e5d2c 100644 --- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md +++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md @@ -36,7 +36,6 @@ Any variation of using input from a lesser trusted source as part of a command l ======= * *[pyscg-0050: Sanitize Error Output to Prevent Information Disclosure](../../06_logging/pyscg-0050/README.md)* * *[pyscg-0040: Use Process Isolation for Trust Zones](../../01_introduction/pyscg-0040/README.md)* ->>>>>>> 0dc93b4 (pyscg 06_logging, updated titles as part of #1017) ## Non-Compliant Code Example (Read Only) From a98abda7be8ea7585e642802c1cab0e325ad1f66 Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 13 Mar 2026 11:57:27 +0000 Subject: [PATCH 3/7] Update docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: myteron --- .../06_logging/pyscg-0021/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md index b21c2564..5fd237df 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0021/README.md @@ -39,7 +39,7 @@ Not knowing that a product must be deployed differently in production than in st |[MITRE CWE](http://cwe.mitre.org/)|Pillar: [CWE-710: Improper Adherence to Coding Standards (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/710.html)| |[MITRE CWE](http://cwe.mitre.org/)|Base: [CWE-489: Active Debug Code (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/489.html)| |[SEI CERT Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ENV05-J. Do not deploy an application that can be remotely monitored](https://wiki.sei.cmu.edu/confluence/display/java/ENV05-J.+Do+not+deploy+an+application+that+can+be+remotely+monitored)| -|[Python - Secure Coding One Stop Shop](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/)|[pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md)| +|[Python - Secure Coding One Stop Shop](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python/)|[pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md)| ## Bibliography From 4d9a158e2f5b5a8a3e6c10360b29db96d2ec48ee Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 13 Mar 2026 11:58:03 +0000 Subject: [PATCH 4/7] Update docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: myteron --- .../06_logging/pyscg-0050/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md index 63ceb30d..2cc29a09 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md @@ -1,7 +1,7 @@ # pyscg-0050: Sanitize Error Output to Prevent Information Disclosure Prevent an attacker from discovering internal or sensitive system information by filtering, splitting and applying brute force prevention tactics when displaying error messages to a user. -This rule is closely related to [pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md). +This rule is closely related to [pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md). Ensure that detailed troubleshooting and security sensitive error information can only reach authorized personnel while avoiding overload from brute force attacks. From f5472b08875437bf4158e8134d580ad8a7ee0492 Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 13 Mar 2026 11:58:23 +0000 Subject: [PATCH 5/7] Update docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: myteron --- .../06_logging/pyscg-0050/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md index 2cc29a09..b3c9e641 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md @@ -180,7 +180,7 @@ Details on other best practices are only mentioned as a TODO comment such as: * [pyscg-0044: Canonicalize Input Before Validating](../../02_encoding_and_strings/pyscg-0044/README.md) * [pyscg-0016: Detection of Error Condition without Action](../../05_exception_handling/pyscg-0016/README.md) -* Rules related to logging ([pyscg-0022: Improper Output Neutralization for Logs](../pyscg-0022/README.md), [pyscg-0019: Insertion of Sensitive Information into Log File](../pyscg-0019/README.md)) +* Rules related to logging ([pyscg-0022: Neutralize Untrusted Data in Logs](../pyscg-0022/README.md), [pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md)) * File access, log access control * Log level, log format in accordance with [rfc5424](https://www.rfc-editor.org/rfc/rfc5424) * [pyscg-0020: Insufficient Logging](../pyscg-0020/README.md) From 6524e7b3fc022a4e9568c5e0ce3ad8b1c85e4610 Mon Sep 17 00:00:00 2001 From: myteron Date: Fri, 13 Mar 2026 11:58:51 +0000 Subject: [PATCH 6/7] Update docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md Co-authored-by: Bartlomiej Karas Signed-off-by: myteron --- .../06_logging/pyscg-0050/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md index b3c9e641..fd436258 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md @@ -183,7 +183,7 @@ Details on other best practices are only mentioned as a TODO comment such as: * Rules related to logging ([pyscg-0022: Neutralize Untrusted Data in Logs](../pyscg-0022/README.md), [pyscg-0019: Exclude Sensitive Data From Logs](../pyscg-0019/README.md)) * File access, log access control * Log level, log format in accordance with [rfc5424](https://www.rfc-editor.org/rfc/rfc5424) -* [pyscg-0020: Insufficient Logging](../pyscg-0020/README.md) +* [pyscg-0020: Implement Informative Event Logging](../pyscg-0020/README.md) Useful internal logging must be resilient against brute force attacks currently not covered in `compliant01.py`. From f715ec7d5d101264a08c59e87287dc9ba46c233d Mon Sep 17 00:00:00 2001 From: Helge Wehder Date: Fri, 20 Mar 2026 11:33:12 +0000 Subject: [PATCH 7/7] fixed issue highlighted in comments Signed-off-by: Helge Wehder --- .../04_neutralization/pyscg-0009/README.md | 4 ---- .../06_logging/pyscg-0050/README.md | 8 ++++---- .../06_logging/pyscg-0050/compliant01.py | 6 +++--- .../06_logging/pyscg-0050/noncompliant02.py | 2 +- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md index 934e5d2c..b1cde8cf 100644 --- a/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md +++ b/docs/Secure-Coding-Guide-for-Python/04_neutralization/pyscg-0009/README.md @@ -30,10 +30,6 @@ Following table 00 provides a limited list of Unix shell commands to Python modu Any variation of using input from a lesser trusted source as part of a command line program has a very high probability of resulting in a potential attack including the use of specialized modules. Consider: * *[pyscg-0047: Incomplete List of Disallowed Input](../../04_neutralization/pyscg-0047/README.md)* -<<<<<<< HEAD -* *[pyscg-0050: Generation of Error Message Containing Sensitive Information](../../06_logging/pyscg-0050/README.md)* -* *[pyscg-0040: Trust Boundary Violation](../../01_introduction/pyscg-0040/README.md)* -======= * *[pyscg-0050: Sanitize Error Output to Prevent Information Disclosure](../../06_logging/pyscg-0050/README.md)* * *[pyscg-0040: Use Process Isolation for Trust Zones](../../01_introduction/pyscg-0040/README.md)* diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md index fd436258..c1b9b55b 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/README.md @@ -99,7 +99,7 @@ class FileReader: fh.readlines() except OSError as e: # TODO: log the original exception - # For more details, check CWE-693/CWE-778: Insufficient Logging + # For more details, check pyscg-0020: Implement Informative Event Logging # Throw a generic exception instead sys.tracebacklimit = 0 @@ -227,10 +227,10 @@ def file_reader(args: list): logging.exception("ERROR %s", error_id) # TODO: handle the exception in accordance with - # - CWE-390: Detection of Error Condition without Action + # - pyscg-0016: Propagate Exceptions and Preserve Context # TODO: log the error with a unique error_id and apply: - # - CWE-117: Improper Output Neutralization for Logs - # - CWE-532: Insertion of Sensitive Information into Log File + # - pyscg-0022: Neutralize Untrusted Data in Logs + # - pyscg-0019: Exclude Sensitive Data From Logs # Present a simplified error to the client print("\n***** Frontend 'client' error: *****") diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py index 19019026..0f7fe152 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/compliant01.py @@ -35,10 +35,10 @@ def file_reader(args: list): logging.exception("ERROR %s", error_id) # TODO: handle the exception in accordance with - # - CWE-390: Detection of Error Condition without Action + # - pyscg-0016: Propagate Exceptions and Preserve Context # TODO: log the error with a unique error_id and apply: - # - CWE-117: Improper Output Neutralization for Logs - # - CWE-532: Insertion of Sensitive Information into Log File + # - pyscg-0022: Neutralize Untrusted Data in Logs + # - pyscg-0019: Exclude Sensitive Data From Logs # Present a simplified error to the client print("\n***** Frontend 'client' error: *****") diff --git a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py index 2bfb8817..07bef54d 100644 --- a/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py +++ b/docs/Secure-Coding-Guide-for-Python/06_logging/pyscg-0050/noncompliant02.py @@ -15,7 +15,7 @@ def __init__(self, args: list): fh.readlines() except OSError as e: # TODO: log the original exception - # For more details, check CWE-693/CWE-778: Insufficient Logging + # For more details, check pyscg-0020: Implement Informative Event Logging # Throw a generic exception instead sys.tracebacklimit = 0