Merge pull request #16028 from owen-mc/java/sensitive-log-whitelist-tokenimage

Java: whitelist variable name `tokenImage` for `java/sensitive-log` as it's used in code generated by JavaCC

Author: owen-mc

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -12,7 +12,8 @@ class VariableWithSensitiveName extends Variable {
   VariableWithSensitiveName() {
     exists(string name | name = this.getName() |
       name.regexpMatch(getCommonSensitiveInfoRegex()) and
-      not name.regexpMatch("(?i).*null.*")
+      not name.regexpMatch("(?i).*null.*") and
+      name != "tokenImage" // appears in parser code generated by JavaCC
     )
   }
 }

java/ql/src/change-notes/2024-03-24-sensitive-log-whitelist-tokenimage.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Variables named `tokenImage` are no longer sources for  the `java/sensitive-log` query. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts.

java/ql/test/query-tests/security/CWE-532/TokenSequenceParserTest.java

@@ -0,0 +1,27 @@
+import org.apache.logging.log4j.Logger;
+
+interface TokenSequenceParserConstants {
+  /** Literal token values. */
+  String[] tokenImage = {
+    "<EOF>",
+  };
+}
+
+public class TokenSequenceParserTest implements TokenSequenceParserConstants {
+    void test(String password) {
+        Logger logger = null;
+
+        logger.info("When parsing found this: " + tokenImage[0]); // Safe
+    }
+
+}
+
+class ParseExceptionTest extends Exception {
+    String[] tokenImage;
+
+    void test() {
+        Logger logger = null;
+
+        logger.info("When parsing found this: " + tokenImage[0]); // Safe
+    }
+}