Skip to content

Java: Exclude JUnit test methods from log injection#24

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-log-injection-test-annotation
Open

Java: Exclude JUnit test methods from log injection#24
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-log-injection-test-annotation

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Fix

Excludes log injection results that occur within methods annotated with JUnit test annotations (@Test, @ParameterizedTest, @RepeatedTest, @TestFactory from JUnit 5, and @Test from JUnit 4).

Problem

Test code frequently logs user-controlled test inputs for debugging purposes. These are not security vulnerabilities because:

  1. Test code does not run in production
  2. Test inputs are developer-controlled, not attacker-controlled
  3. Log output in tests goes to test runners, not production log systems

MRVA showed many FPs in test classes across Java repositories.

Validation

Static analysis confirms that methods annotated with test annotations are only invoked by test frameworks, never in production paths.

@kiro-agent
feat: exclude test methods from log injection results
6b8741a 
Methods annotated with JUnit test annotations (@test, @ParameterizedTest,
@RepeatedTest, @testfactory from JUnit 5, or @test from JUnit 4) are
excluded from log injection results. Test code intentionally logs
user-controlled input for testing purposes and does not represent
a security vulnerability.
@github-actions github-actions Bot added the Java label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent