Oauth2-state query: treat log calls the same as stdout printers

These presumably get to the user somehow, and in conjunction with stdin use are enough to identify use of oauth at the terminal.

Author: smowton

ql/src/experimental/CWE-352/ConstantOauth2State.ql

@@ -50,6 +50,8 @@ class FlowToPrint extends DataFlow::Configuration {
 
   predicate isSink(DataFlow::Node sink, DataFlow::CallNode call) {
     exists(Fmt::Printer printer | call = printer.getACall() | sink = call.getArgument(_))
+    or
+    exists(LoggerCall logCall | call = logCall | sink = logCall.getAMessageComponent())
   }
 
   override predicate isSource(DataFlow::Node source) { isSource(source, _) }