Merge pull request #16028 from owen-mc/java/sensitive-log-whitelist-tokenimage

Java: whitelist variable name `tokenImage` for `java/sensitive-log` as it's used in code generated by JavaCC
2026-02-24 10:53:49 +01:00 · 2024-03-25 10:02:19 +00:00
parent d6374f65e4 ac6c4add14
commit f2db9ce312
3 changed files with 33 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -12,7 +12,8 @@ class VariableWithSensitiveName extends Variable {
  VariableWithSensitiveName() {
    exists(string name | name = this.getName() |
      name.regexpMatch(getCommonSensitiveInfoRegex()) and
-      not name.regexpMatch("(?i).*null.*")
+      not name.regexpMatch("(?i).*null.*") and
+      name != "tokenImage" // appears in parser code generated by JavaCC
    )
  }
 }