Merge pull request #15786 from owen-mc/java/sensitive-logging-query-exclude-null-in-variable-name

Java: sensitive logging query exclude null in variable name
2026-04-25 00:35:20 +02:00 · 2024-03-04 12:14:42 +00:00
parent ac484e5a04 037c76d840
commit 279605b486
3 changed files with 16 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -9,7 +9,12 @@ private import semmle.code.java.security.Sanitizers

 /** A variable that may hold sensitive information, judging by its name. */
 class VariableWithSensitiveName extends Variable {
-  VariableWithSensitiveName() { this.getName().regexpMatch(getCommonSensitiveInfoRegex()) }
+  VariableWithSensitiveName() {
+    exists(string name | name = this.getName() |
+      name.regexpMatch(getCommonSensitiveInfoRegex()) and
+      not name.regexpMatch("(?i).*null.*")
+    )
+  }
 }

 /** A reference to a variable that may hold sensitive information, judging by its name. */
--- a/java/ql/src/change-notes/2024-03-04-sensitive-log-remove-null-from-sources.md
+++ b/java/ql/src/change-notes/2024-03-04-sensitive-log-remove-null-from-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* To reduce the number of false positives in the query "Insertion of sensitive information into log files" (`java/sensitive-log`), variables with names that contain "null" (case-insensitively) are no longer considered sources of sensitive information.
--- a/java/ql/test/query-tests/security/CWE-532/Test.java
+++ b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -19,4 +19,10 @@ class Test {
        logger.error("Auth failed for: " + username); // Safe
    }

+    void test4(String nullToken) {
+        Logger logger = null;
+
+        logger.error("Auth failed for: " + nullToken); // Safe
+    }
+
 }