Merge pull request github#15786 from owen-mc/java/sensitive-logging-query-exclude-null-in-variable-name

Java: sensitive logging query exclude null in variable name

Author: owen-mc

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -9,7 +9,12 @@ private import semmle.code.java.security.Sanitizers
 
 /** A variable that may hold sensitive information, judging by its name. */
 class VariableWithSensitiveName extends Variable {
-  VariableWithSensitiveName() { this.getName().regexpMatch(getCommonSensitiveInfoRegex()) }
+  VariableWithSensitiveName() {
+    exists(string name | name = this.getName() |
+      name.regexpMatch(getCommonSensitiveInfoRegex()) and
+      not name.regexpMatch("(?i).*null.*")
+    )
+  }
 }
 
 /** A reference to a variable that may hold sensitive information, judging by its name. */

java/ql/src/change-notes/2024-03-04-sensitive-log-remove-null-from-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* To reduce the number of false positives in the query "Insertion of sensitive information into log files" (`java/sensitive-log`), variables with names that contain "null" (case-insensitively) are no longer considered sources of sensitive information.

java/ql/test/query-tests/security/CWE-532/Test.java

@@ -19,4 +19,10 @@ void test3(String username) {
         logger.error("Auth failed for: " + username); // Safe
     }
 
+    void test4(String nullToken) {
+        Logger logger = null;
+
+        logger.error("Auth failed for: " + nullToken); // Safe
+    }
+
 }