Java: Reduce false positives in java/concatenated-command-line query

[mrigankpawagi]

Summary

This PR improves the java/concatenated-command-line query (ExecUnescaped.ql) by expanding the saneString predicate to recognize additional safe expression patterns, significantly reducing false positives.

Problem

MRVA (Multi-Repository Variant Analysis) on the top-100 Java repositories revealed 21 alerts, the majority of which are false positives caused by:

1. System.getProperty() calls with literal keys - e.g., System.getProperty("java.home") + "/bin/java" (apache/maven, elastic/logstash, apache/flink)
2. File.separator constants - File.separator, File.pathSeparator
3. Class metadata methods - getClass().getCanonicalName(), .getName()
4. Numeric literals and conversions - Integer.toString(port)
5. Enum constants - compile-time known values

Changes

Expanded saneString predicate in ExecUnescaped.ql to recognize:

• IntegerLiteral, LongLiteral, BooleanLiteral
• Enum constant field accesses
• File.separator, File.pathSeparator, File.separatorChar, File.pathSeparatorChar
• System.getProperty("literal") calls with string literal arguments
• Class.getName(), getCanonicalName(), getSimpleName() calls
• Static Number.toString() and String.valueOf() with sane arguments
• Concatenation where both operands are sane

MRVA Validation

• Before: 21 alerts across top-100 Java repositories
• Expected after: ~5-7 alerts (eliminating FPs from System.getProperty + File.separator patterns in maven, logstash, flink, hadoop, feign)
• All eliminated alerts were confirmed false positives where programmer-controlled values were concatenated into commands

Why this is correct

• System.getProperty("java.home") returns the JVM installation path — not user-controllable at runtime
• File.separator is / or \\ depending on OS — a constant
• Class.getName() returns the compile-time class name — deterministic
• Enum values are compile-time constants