Skip to content

False positive: java/sensitive-log overly broad variable name regex causes widespread false positives #21649

Open
#21650
Open
False positive: java/sensitive-log overly broad variable name regex causes widespread false positives#21649
#21650
Labels
false-positive
@MarkLee131

Description

@MarkLee131
MarkLee131
opened on Apr 4, 2026

Description of the false positive

The source regex (?i).*(token|secret).* in getCommonSensitiveInfoRegex() matches any variable containing "token" or "secret". The FP exclusion list (getCommonSensitiveInfoFPRegex) only covers null, tokenizer, and tokenImage, missing many common non-sensitive naming patterns.

This flags variables like nextToken (AWS SDK pagination), tokenType (OAuth), tokenEndpoint (OIDC), secretName (K8s/AWS), secretVersion (Azure), etc. None of these hold sensitive data.

The query has already needed 6 rounds of one-off FP fixes (v0.3.3, v0.6.0, v0.8.10, v0.8.13, v1.1.2, v1.10.1). Related: #7992, #6811.

I expanded getCommonSensitiveInfoFPRegex() to cover pagination tokens, token metadata, and secret metadata patterns. Truly sensitive names (accessToken, clientSecret, secretKey, etc.) remain correctly flagged.

Code samples or links to source code

// All flagged as "sensitive information written to log" — none are sensitive
String nextToken = response.getNextToken();       // AWS SDK pagination cursor
String tokenType = "Bearer";                      // OAuth token type
String tokenEndpoint = "https://auth.example.com/token"; // OIDC endpoint
String secretName = "my-k8s-config";              // K8s secret name
String secretVersion = "v3";                      // AWS Secrets Manager version ID

logger.info("page cursor: " + nextToken);
logger.info("token type: " + tokenType);
logger.info("endpoint: " + tokenEndpoint);
logger.info("fetching secret: " + secretName);
logger.info("version: " + secretVersion);

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positive

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions