Owasp Security Logging Versions Save

Vulnerabilities Addressed:

• CVE-2021-44228 (aka Log4Shell)
• CVE-2021-45046

Additional Features:

• LUHN based credit card masking
• Regex based SSN masking
• CRLF convertor for Throwable messages
• NLF convertor to cover newlines in expanded character sets

• Fix out of date/vulnerable Log4J2 dependency #35

• Fix out of date/vulnerable dependencies

• Fix out of date/vulnerable dependencies

This release includes the following:

• Added ability to log application settings at startup
• Added ability to bind System.out streams to SLF4J Loggers
• Added regex-based masking
• Fixed MaskingConverter to work with multi-markers
• Code cleanup and optimization
• Updated dependencies
• Improved unit tests

Note: Two prior versions (1.1.1 and 1.1.2) were released to Maven Central, but never tagged on GitHub. This description also includes features included in those prior releases.

Version 1.1.0 introduces separate projects for Logback and Log4j support, and a common set of shared classes. To use Logback, add the security-logging-logback dependency to pom.xml. Log4j users should include security-logging-log4j. Maven builds will automatically include security-logging-common. Developers are responsible for providing their own Logback or Log4j dependencies.

This release also includes:

• Filters for security events and classified info
• Modularized MDCFilter
• CEF layouts
• CRLF Converter to protect against log forgery
• Much improved test coverage
• Better documentation

This release introduces the following features - security logging markers with secrutiy levels to identify security log events - appender to isolate security events, based on their secruity level - security layout for a standard format of security log events