I am using Log4net for logging into my web api application. I am using below code to log warnings and error in database.

public async Task<int> ExecuteNonQuery(string procedureName,params SqlParameter[] parameters)
{
try
{
  this.logger.DebugFormat("{0} stating call",procedureName);
  ......
  ......
  ......
}

further code

When i ran fortify scan it gives me log forging issue. Is there any idea how we can resolve this issue. I tried below code but didn't work

  procedureName = Regex.Replace(procedureName, "[^ A - Za - z0 - 9 $]", string.Empty);

Fortify is guarding against Log Forging/Log Injection, where a malicious user could get unescaped input into your system in such a way that it's written to your log file. The idea would be to add in mis-leading log entries that would throw automated or manual intrusion detection or intrusion investigation attempts off the scent of the malicious user and what they are really trying to accomplish.

In order to combat this, one must carefully control which portions of user input end up being used in a log file. How to do this varies by how strict you are. You could simply escape all user input in your log, stripping out things like newlines or control characters. To be extremely strict, one removes all user input from their logging statements and uses a set of pre-developed events that form a "whitelist" of events that can be logged in the system.

In your case, it sounds like Fortify isn't smart enough to know if procedureName comes from user input or not, so it flags your logging statement as potentially containing dynamic/user content. If you are positive that you know where procedureName comes from, then you can ignore this as a false positive. Otherwise, you can use one of the mitigation techniques I've listed to make your logging statement more secure.