From 92d205d1a832dfb018aeef20ff64f1d6f556b749 Mon Sep 17 00:00:00 2001
From: MarkLee131 <kaixuan.li@ntu.edu.sg>
Date: Sun, 19 Apr 2026 23:29:07 -0400
Subject: [PATCH] Use set literal for getCommonSensitiveInfoFPRegex

Replace the five-way result = ... or result = ... disjunction with a
single equality on a set literal. Addresses the CodeQL style alert
"Use a set literal in place of or" reported by the self-scan on this
PR. Pure refactor, no semantic change.
---
 .../code/java/security/SensitiveActions.qll   | 22 ++++++++-----------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
index a4adcd7c341..86ff96c1917 100644
--- a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
@@ -50,20 +50,16 @@ string getCommonSensitiveInfoRegex() {
  * - Secret metadata: "secretName" (K8s/AWS), "secretId" (Azure), "secretVersion", etc.
  */
 string getCommonSensitiveInfoFPRegex() {
-  result = "(?i).*(null|tokenizer).*"
-  or
-  result = "tokenImage"
-  or
-  // Pagination/iteration tokens (e.g., AWS SDK pagination cursors, parser tokens)
-  result = "(?i).*(next|previous|current|page|continuation|cursor)tokens?.*"
-  or
-  // Token metadata/infrastructure (token followed by a non-value descriptor)
   result =
-    "(?i).*tokens?(type|kind|count|index|position|length|offset|endpoint|url|uri|bucket|rate|delimiter|separator|format|number|name|id|prefix|suffix|pattern|class|style).*"
-  or
-  // Secret metadata (secret followed by a non-value descriptor)
-  result =
-    "(?i).*secrets?(name|id|version|ref|arn|path|type|label|description|manager|client|provider|store|factory|properties).*"
+    [
+      "(?i).*(null|tokenizer).*", "tokenImage",
+      // Pagination/iteration tokens (e.g., AWS SDK pagination cursors, parser tokens)
+      "(?i).*(next|previous|current|page|continuation|cursor)tokens?.*",
+      // Token metadata/infrastructure (token followed by a non-value descriptor)
+      "(?i).*tokens?(type|kind|count|index|position|length|offset|endpoint|url|uri|bucket|rate|delimiter|separator|format|number|name|id|prefix|suffix|pattern|class|style).*",
+      // Secret metadata (secret followed by a non-value descriptor)
+      "(?i).*secrets?(name|id|version|ref|arn|path|type|label|description|manager|client|provider|store|factory|properties).*"
+    ]
 }
 
 /** An expression that might contain sensitive data. */