`java/sensitive-log`: missing sanitizer for hashed/encrypted data

[MarkLee131]

Description of the false positive

The java/sensitive-log query (CWE-532) flags data that has been hashed or encrypted before logging. The sibling query java/cleartext-storage-in-log (CWE-312) already treats methods with "encrypt", "hash", or "digest" in their names as sanitizers (CleartextStorageQuery.qll:86), but CWE-532 does not.

I added an EncryptionBarrier to SensitiveLoggingQuery.qll using the same name heuristic, making the two queries consistent.

Code samples or links to source code

String password = getPassword();

// Flagged — but the hashed value does not expose the credential
logger.info("password hash: " + DigestUtils.sha256Hex(password));
logger.info("password hash: " + hashPassword(password));

// Correctly flagged — raw password in log
logger.info("password: " + password);

The existing sanitizer in CleartextStorageQuery.qll for reference:

https://github.com/github/codeql/blob/fb8b5699f28c3bf89683ed1ba4a3ec5806f7a881/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll#L84-L88