Merge pull request #16028 from owen-mc/java/sensitive-log-whitelist-tokenimage

Java: whitelist variable name `tokenImage` for `java/sensitive-log` as it's used in code generated by JavaCC
2026-04-20 22:44:52 +02:00 · 2024-03-25 10:02:19 +00:00
parent d6374f65e4 ac6c4add14
commit f2db9ce312
3 changed files with 33 additions and 1 deletions
--- a/java/ql/src/change-notes/2024-03-24-sensitive-log-whitelist-tokenimage.md
+++ b/java/ql/src/change-notes/2024-03-24-sensitive-log-whitelist-tokenimage.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Variables named `tokenImage` are no longer sources for  the `java/sensitive-log` query. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts.