Java: Remove SensitiveLoggingQuery results that flow through a source.

aschackmull · aschackmull · commit ecc15a1f952e · 2022-08-10T14:28:07.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -28,4 +28,6 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer.asExpr() instanceof LiveLiteral
   }
+
+  override predicate isSanitizerIn(Node node) { isSource(node) }
 }
diff --git a/java/ql/src/change-notes/2022-08-10-sensitive-log-dedup.md b/java/ql/src/change-notes/2022-08-10-sensitive-log-dedup.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The query `java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.

Original file line number	Diff line number	Diff line change
`@@ -28,4 +28,6 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration {`
`28`	`28`	`override predicate isSanitizer(DataFlow::Node sanitizer) {`
`29`	`29`	`sanitizer.asExpr() instanceof LiveLiteral`
`30`	`30`	`}`
	`31`	`+`
	`32`	`+ override predicate isSanitizerIn(Node node) { isSource(node) }`
`31`	`33`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: majorAnalysis
 +---
 +* The query `java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.