Fix FP for always-locked fields

Author: owen-mc

java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql

@@ -68,7 +68,9 @@ predicate alwaysLocked(Field f) {
   or
   exists(RefType thisType |
     forex(VarAccess access |
-      access = f.getAnAccess() and not access.getEnclosingCallable() instanceof InitializerMethod
+      access = f.getAnAccess() and
+      not access.getEnclosingCallable() instanceof Constructor and
+      not access.getEnclosingCallable() instanceof InitializerMethod
     |
       locallySynchronizedOnThis(access, thisType)
     )

java/ql/test/query-tests/security/CWE-367/semmle/tests/FieldAlwaysLocked.java

@@ -14,10 +14,10 @@ public FieldAlwaysLocked() {
         protected synchronized void checkOut() {
                 Object o;
                 if (field.size() > 0) {
-                        Enumeration e = field.keys(); // $ SPURIOUS: Alert
+                        Enumeration e = field.keys();
                         while (e.hasMoreElements()) {
                                 o = e.nextElement();
-                                field.remove(o); // $ SPURIOUS: Alert
+                                field.remove(o);
                         }
                 }
         }