[TEST] Java: SensitiveLogInfo: convert to qlref

d10c · d10c · commit 6134518d6088 · 2025-07-17T18:59:01.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
@@ -0,0 +1,15 @@
+#select
+| Test.java:7:21:7:53 | ... + ... | Test.java:7:46:7:53 | password : String | Test.java:7:21:7:53 | ... + ... | This $@ is written to a log file. | Test.java:7:46:7:53 | password | potentially sensitive information |
+| Test.java:8:22:8:52 | ... + ... | Test.java:8:44:8:52 | authToken : String | Test.java:8:22:8:52 | ... + ... | This $@ is written to a log file. | Test.java:8:44:8:52 | authToken | potentially sensitive information |
+edges
+| Test.java:7:46:7:53 | password : String | Test.java:7:21:7:53 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:8:44:8:52 | authToken : String | Test.java:8:22:8:52 | ... + ... | provenance | Sink:MaD:1 |
+models
+| 1 | Sink: org.apache.logging.log4j; Logger; true; error; (String); ; Argument[0]; log-injection; manual |
+| 2 | Sink: org.apache.logging.log4j; Logger; true; info; (String); ; Argument[0]; log-injection; manual |
+nodes
+| Test.java:7:21:7:53 | ... + ... | semmle.label | ... + ... |
+| Test.java:7:46:7:53 | password : String | semmle.label | password : String |
+| Test.java:8:22:8:52 | ... + ... | semmle.label | ... + ... |
+| Test.java:8:44:8:52 | authToken : String | semmle.label | authToken : String |
+subpaths
diff --git a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql
diff --git a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.qlref b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-532/SensitiveInfoLog.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/java/ql/test/query-tests/security/CWE-532/Test.java b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -4,8 +4,8 @@ class Test {
     void test(String password, String authToken, String username, String nullToken, String stringTokenizer) {
         Logger logger = null;
 
-        logger.info("User's password is: " + password); // $ hasTaintFlow
-        logger.error("Auth failed for: " + authToken); // $ hasTaintFlow
+        logger.info("User's password is: " + password); // $ Alert
+        logger.error("Auth failed for: " + authToken); // $ Alert
         logger.error("Auth failed for: " + username); // Safe
         logger.error("Auth failed for: " + nullToken); // Safe
         logger.error("Auth failed for: " + stringTokenizer); // Safe
