Add "tokenizer" to sensitive variable name FPs

java/ql/lib/semmle/code/java/security/SensitiveActions.qll

@@ -41,9 +41,12 @@ string getCommonSensitiveInfoRegex() {
  * indicate the value being held does not contains sensitive information,
  * but is a false positive for `getCommonSensitiveInfoRegex`.
  *
+ * - "tokenizer" is often used for java.util.StringTokenizer.
  * - "tokenImage" appears in parser code generated by JavaCC.
  */
-string getCommonSensitiveInfoFPRegex() { result = "(?i).*(null).*" or result = "tokenImage" }
+string getCommonSensitiveInfoFPRegex() {
+  result = "(?i).*(null|tokenizer).*" or result = "tokenImage"
+}
 
 /** An expression that might contain sensitive data. */
 abstract class SensitiveExpr extends Expr { }

java/ql/test/query-tests/security/CWE-532/Test.java

@@ -8,6 +8,6 @@ class Test {
         logger.error("Auth failed for: " + authToken); // $ hasTaintFlow
         logger.error("Auth failed for: " + username); // Safe
         logger.error("Auth failed for: " + nullToken); // Safe
-        logger.error("Auth failed for: " + stringTokenizer); // $ hasTaintFlow
+        logger.error("Auth failed for: " + stringTokenizer); // Safe
     }
 }