when i scan a project , i get result like this

Language: C#
Severity: INFO
Line: 28916
Column: 14
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/Jonas/Project/WebGoat.NET/WebGoat/lib/log4net.xml
Code: log.Info("This log message has a ThreadContext Stack message that includes 'my context message'");
RuleID: HS-CSHARP-38
Type: Vulnerability
ReferenceHash: 83bdca98d4762aa073c153267440246d5ea2c640655445f007d25673d3289495
Details: (1/1) * Possible vulnerability detected: No Log Sensitive Information in console
The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.

but when I was preparing to analyze the results, I found that the INFO in the severity level was incomprehensible. I was preparing to look for the document to see the description. At this moment, I found that the document website could not be opened and I could not find the description of each field in the result in the readme,Can you explain Severity , Column and Confidence to me?

Hi @Jonas-sci , that issue triggered by this code internal/services/engines/csharp/rules.go#L761. Basically logging is allowed for debugging purpose to help Software Engineer build the app, but in the production environment should carefully to logging the data. If the sensitive data (e.g PII) is logged on your application may leak the data to the unauthorized actor. So, you need to check that the log data should not contain data sensitive. Then if confirmed no sensitive data is logged, you should treat the finding as false-positive. That procedure is based on my experience that adopted from security best practices such as OWASP ASVS, WSTG, MASVS, and MSTG. CMIIW.

Regarding severity and confidence level you can access this URL https://docs.horusec.io/docs/tutorials/how-to-adding-custom-rules/#step-2-define-jsons-attributes. As far as I know confidence LOW level may result in high false-positive results so that vulnerability needs to be checked manually to ensure that it's confirmed or not.

Hi, @ne0z , I have the same question. And I tried to read the guide from the docu you provided, but the website is static? I cannot find where the rules are located there. https://docs.horusec.io/docs/tutorials/how-to-adding-custom-rules/

Maybe it should be checked since I want to use the tool deeply. Thanks!

Well, I tried it and found that it was caused by my Edge browser. And it was solved when I updated my browser and turned off the system proxy of my laptop.

I have checked, and it works perfect on my chrome browser