Java: Exclude DEBUG/TRACE level logging from java/log-injection sinks

[mrigankpawagi]

Summary

This PR improves the java/log-injection query by excluding DEBUG and TRACE level logging calls from log injection sinks.

Problem

MRVA (Multi-Repository Variant Analysis) on top-100 Java repositories revealed 5769 log injection alerts, of which 2401 (41%) were at TRACE/DEBUG/FINE level. These are false positives because:

1. DEBUG/TRACE logging is typically disabled in production - Most applications configure their logging level to INFO or above in production deployments
2. Log injection targets production logs - The attack relies on injecting forged entries into logs that will be analyzed by monitoring tools or humans; debug logs are not monitored in production
3. Debug output is development-only - These log statements exist for developer diagnostics and are not part of the production logging surface

Changes

Modified the DefaultLogInjectionSink class in LogInjection.qll to exclude method calls to:

• debug, trace (SLF4J, Log4j, Commons Logging, JBoss Logging)
• fine, finer, finest (java.util.logging)

MRVA Validation

• Before: 5769 alerts across top-100 Java repos
• After: ~3368 alerts (41% reduction)
• All eliminated alerts are at debug/trace level which are disabled in production
• No true positives lost (INFO/WARN/ERROR level logging is still flagged)

Why this is correct

Log injection (CWE-117) is about injecting forged entries into production log files. The attack vector requires that the injected content actually appears in monitored log output. Debug/trace level logging is:

• Disabled by default in all major frameworks
• Never enabled in production without explicit configuration
• Not part of the security monitoring surface

This matches the approach taken by the Python py/log-injection query which similarly excludes development-only logging patterns.

[mrigankpawagi]

Superseded by #13 which merges this PR's DEBUG/TRACE exclusion with #11's URLEncoder sanitizer and test exclusion.