github · owen-mc · Mar 4, 2024 · Mar 3, 2024 · Mar 3, 2024 · Mar 3, 2024
@@ -9,7 +9,12 @@ private import semmle.code.java.security.Sanitizers
 
 /** A variable that may hold sensitive information, judging by its name. */
 class VariableWithSensitiveName extends Variable {
-  VariableWithSensitiveName() { this.getName().regexpMatch(getCommonSensitiveInfoRegex()) }
+  VariableWithSensitiveName() {
+    exists(string name | name = this.getName() |
+      name.regexpMatch(getCommonSensitiveInfoRegex()) and
+      not name.regexpMatch("(?i).*null.*")
+    )
+  }
 }
 
 /** A reference to a variable that may hold sensitive information, judging by its name. */

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* To reduce the number of false positives in the query "Insertion of sensitive information into log files" (`java/sensitive-log`), variables with names that contain "null" (case-insensitively) are no longer considered sources of sensitive information.
@@ -19,4 +19,10 @@ void test3(String username) {
         logger.error("Auth failed for: " + username); // Safe
     }
 
+    void test4(String nullToken) {
+        Logger logger = null;
+
+        logger.error("Auth failed for: " + nullToken); // Safe
+    }
+
 }