Add live literals as sanitizers for sensitive logging

Author: atorralba

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.SensitiveActions
+import semmle.code.java.frameworks.android.Compose
 import DataFlow
 
 /** A variable that may hold sensitive information, judging by its name. */
@@ -23,4 +24,8 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
 
   override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer.asExpr() instanceof LiveLiteral
+  }
 }

java/ql/src/change-notes/2022-05-12-sensitive-log-improvements.md

@@ -1,4 +1,7 @@
 ---
 category: minorAnalysis
 ---
-* Query `java/sensitive-log` no longer considers usernames as sensitive information. Also, the conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
+* Query `java/sensitive-log` has received several improvements.
+  * It no longer considers usernames as sensitive information.
+  * The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
+  * A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.