Java: Exclude DEBUG/TRACE level logging from java/log-injection sinks

java/ql/lib/change-notes/2025-06-14-log-injection-exclude-debug-trace.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The `java/log-injection` query no longer considers DEBUG and TRACE level logging calls (including `fine`, `finer`, `finest` for java.util.logging) as log injection sinks. These log levels are typically disabled in production environments, making them unrealistic targets for log injection attacks.

java/ql/lib/semmle/code/java/security/LogInjection.qll

@@ -30,7 +30,16 @@ class LogInjectionAdditionalTaintStep extends Unit {
 }
 
 private class DefaultLogInjectionSink extends LogInjectionSink {
-  DefaultLogInjectionSink() { sinkNode(this, "log-injection") }
+  DefaultLogInjectionSink() {
+    sinkNode(this, "log-injection") and
+    not exists(MethodCall mc |
+      this.asExpr() = mc.getAnArgument() and
+      mc.getMethod().getName() in [
+        "debug", "trace", // SLF4J, Log4j, Commons Logging, JBoss Logging
+        "fine", "finer", "finest" // java.util.logging
+      ]
+    )
+  }
 }
 
 private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleTypeSanitizer

java/ql/src/change-notes/2025-06-14-log-injection-exclude-debug-trace.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The `java/log-injection` query now excludes calls to DEBUG and TRACE level logging methods from its results, since these log levels are typically disabled in production and do not present a realistic log injection attack surface. This eliminates approximately 41% of previously reported alerts.