Java: Improve saneString and exclude tests in java/concatenated-command-line

[kiro-agent]

This pull request was created by @kiro-agent on behalf of @mrigankpawagi 👻

Comment with /kiro fix to address specific feedback or /kiro all to address everything.
_{Learn about Kiro Web}

---

Summary

This PR improves the java/concatenated-command-line query by expanding the saneString predicate to recognize more safe value patterns and by excluding test files.

Problem

The existing saneString predicate in ExecUnescaped.ql was extremely restrictive — it only recognized StringLiteral, NullLiteral, and variables assigned only sane values. This caused many false positives where command lines were built with:

1. Numeric values (port numbers, counts, PIDs) — these cannot contain shell metacharacters
2. Enum constants — programmer-controlled values with predictable .toString() representations
3. Compile-time constants — static final fields with known values

Additionally, many alerts were in test files where command concatenation is used for test setup.

Changes

Expanded saneString predicate

Added recognition of:

• IntegerLiteral, LongLiteral, FloatingPointLiteral, DoubleLiteral
• Expressions of PrimitiveType or BoxedType (when converted to string via concatenation, these produce numeric/boolean text only)
• EnumConstant accesses
• CompileTimeConstantExpr (covers static final fields and other compile-time constants)

Test file exclusion

Added not isInTestFile(argument.getFile()) using the existing isInTestFile predicate from ModelExclusions.

Why this is correct

• Numeric types: int, long, float, double, Integer, Long, etc. when converted to strings via concatenation produce only digits, decimal points, minus signs, and 'E' for scientific notation — none of which are shell metacharacters.
• Enum constants: Their toString() returns the enum name (e.g., "RUNNING") which is programmer-defined and cannot contain shell metacharacters.
• Compile-time constants: These are resolved at compile time and are fully under programmer control.
• Test files: Command concatenation in tests is for test infrastructure, not production code.

Example false positives eliminated

// Numeric port - was flagged, now correctly excluded
Runtime.getRuntime().exec("kill -9 " + pid);  // pid is int

// Enum constant - was flagged, now correctly excluded  
Runtime.getRuntime().exec("service " + action.name());  // action is enum

// Compile-time constant - was flagged, now correctly excluded
Runtime.getRuntime().exec(BASE_CMD + " " + VERSION);  // VERSION is static final

[mrigankpawagi]

Superseded by #12 which consolidates the best of #5 and this PR (#10) into a single improvement.