Add a comment for reasoning in why debug and trace are included and other variations are excluded

luchua-bc · web-flow · commit d9cc3c6f8d81 · 2020-05-13T07:46:44.000-04:00
diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -42,7 +42,7 @@ class LoggerType extends RefType {
 predicate isSensitiveLoggingSink(DataFlow::Node sink) {
   exists(MethodAccess ma |
     ma.getMethod().getDeclaringType() instanceof LoggerType and
-    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and
+    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives
     sink.asExpr() = ma.getAnArgument()
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ class LoggerType extends RefType {`
`42`	`42`	`predicate isSensitiveLoggingSink(DataFlow::Node sink) {`
`43`	`43`	`exists(MethodAccess ma \|`
`44`	`44`	`ma.getMethod().getDeclaringType() instanceof LoggerType and`
`45`		`- (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and`
	`45`	`+ (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives`
`46`	`46`	`sink.asExpr() = ma.getAnArgument()`
`47`	`47`	`)`
`48`	`48`	`}`