Log Forging - False Positive?
We are scanning our .NET application with Fortify and need to provide some information on why Log Forging issue does not apply to us. In our code we have the following pattern, of course it is not exactly as is, I've captured the essence of what we're doing:
public static void Write(object message)
LogEntry log = new LogEntry();
string MessageToAdd = message.ToString();
if (message.ToString().Length > MaxLength)
log.Message = message.ToString().Substring(0, MaxLength);
log.Message = message.ToString();
So basically, we control how log entry objects are created. We restrict the message or user input to 100 characters. Hence we think that Log Forging raised by Fortify is a False Positive. What do you all think?