Adjust cap log sink model to exclude only constant only template literals

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll

@@ -22,6 +22,12 @@ class CdsLogger extends MethodCallNode {
   string getName() { result = name }
 }
 
+class ConstantOnlyTemplateLiteral extends TemplateLiteral {
+  ConstantOnlyTemplateLiteral() {
+    forall(Expr e | e = this.getAnElement() | e instanceof TemplateElement)
+  }
+}
+
 /**
  * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
  */
@@ -31,7 +37,7 @@ class CdsLogSink extends DataFlow::Node {
       this = loggingMethod.getAnArgument() and
       loggingMethod.getMethodName() = ["trace", "debug", "info", "log", "warn", "error"] and
       not this.asExpr() instanceof Literal and
-      not this.asExpr() instanceof TemplateLiteral and
+      not exists(ConstantOnlyTemplateLiteral t | this.asExpr() = t) and
       loggingMethod.getReceiver().getALocalSource() = log
     )
   }

javascript/frameworks/cap/test/models/cds/logger/logger.expected

@@ -5,3 +5,4 @@
 | logger.js:7:24:7:28 | code0 |
 | logger.js:8:25:8:29 | code0 |
 | logger.js:12:10:12:14 | code1 |
+| logger.js:14:10:14:28 | `logging: ${code1}` |

javascript/frameworks/cap/test/models/cds/logger/logger.js

@@ -10,3 +10,6 @@ cds.log('nodejs').error(code0);
 const code0 = "some-name";
 const LOG = cds.log(code0);
 LOG.info(code1);
+
+LOG.info(`logging: ${code1}`);
+LOG.info(`not actually logging`);