After implementing logging functionality in a microservice, I sent the code thought a SonarQube code-check. SonarQube keeps warning me about a safety issues regarding loggers. I tried several things to resolve it, including not putting the logger in DEBUG mode and specifying the logger configuration in a separate file instead of hardcoding it. I would like to know if the following logging implementation is safe and if not, how this should be done in a secure way.

Link to raised issue: https://rules.sonarsource.com/python/RSPEC-4792

The code:

import logging.config

log_config = "logconfig.ini"
logging.config.fileConfig(log_config)
logger = logging.getLogger()

The logconfig.ini file:

[loggers]
keys=root,sampleLogger

[handlers]
keys=consoleHandler

[formatters]
keys=sampleFormatter

[logger_root]
level=INFO
handlers=consoleHandler

[logger_sampleLogger]
level=INFO
handlers=consoleHandler
qualname=sampleLogger
propagate=0

[handler_consoleHandler]
class=StreamHandler
level=INFO
formatter=sampleFormatter
args=(sys.stdout,)

[formatter_sampleFormatter]
format=%(asctime)s - %(name)s - %(levelname)s - %(message)s

I run into a similar issue. As far as I know there is no fix within code itself.

However you should review your code within the sonarQube webUI and after successful review, according to the suggested rules set the status of this issue to "Fixed" or "Safe".

After I've done that my app with logging passed the quality gate without the need for a code change