S5145 possible false positive with log4j2


We are using log4j2 and we were hitting the S5145 security rule.

We mitigate it by using the pattern %enc{}{CRLF} in our logging configuration but sonar doesn’t seems to see it.

Did we hit a sonar limitation or our solution doesn’t really mitigate the issue ?

Hey @lpouget

Please read this thread regarding reporting false-positives: