Java: reduce false positives in sensitive-log#21650
Open
MarkLee131 wants to merge 2 commits intogithub:mainfrom
Open
Java: reduce false positives in sensitive-log#21650MarkLee131 wants to merge 2 commits intogithub:mainfrom
MarkLee131 wants to merge 2 commits intogithub:mainfrom
Conversation
…on regex The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and "tokenImage", causing widespread false positives for common non-sensitive variable names containing "token" or "secret". This adds exclusions for three categories: - Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP), continuationToken (Azure), etc. - Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount, tokenIndex, tokenLength, tokenUrl, etc. - Secret metadata: secretName (K8s/AWS), secretId (Azure), secretVersion, secretArn, secretPath, etc. All truly sensitive variable names (accessToken, clientSecret, secretKey, refreshToken, etc.) remain correctly flagged.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Java java/sensitive-log query and its tests to reduce false positives from variable-name heuristics that previously matched many non-sensitive identifiers containing “token” or “secret”.
Changes:
- Expanded the false-positive exclusion regex for common non-sensitive
token/secretnaming patterns. - Added/updated query-tests to assert both newly excluded false positives and preserved true positives.
- Added a change-note documenting the analysis improvement.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| java/ql/lib/semmle/code/java/security/SensitiveActions.qll | Extends the FP exclusion regex and updates its inline documentation. |
| java/ql/test/query-tests/security/CWE-532/Test.java | Adds new test cases covering excluded FP patterns and retained sensitive-name detections. |
| java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected | Updates expected results to include new true-positive alerts from the added tests. |
| java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md | Documents the false-positive reduction for java/sensitive-log. |
secretQuestion is ambiguous: it could be the question text (not sensitive) or a security question answer. Worse, the regex secrets?(question) also matches secretQuestionAnswer, which is clearly sensitive. Drop it to avoid false negatives.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #21649:
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and "tokenImage", causing widespread false positives for common non-sensitive variable names containing "token" or "secret".
This adds exclusions for three categories:
All truly sensitive variable names (accessToken, clientSecret, secretKey, refreshToken, etc.) remain correctly flagged.