CleartextLogging.qhelp needs more help

[jsoref]

trafficstars

https://github.com/github/codeql/blob/590e93d8edec4d7216935ed4425a7ab77b3b2f34/go/ql/src/Security/CWE-312/CleartextLogging.qhelp#L8-L9

https://github.com/check-spelling-sandbox/argo-cd/security/code-scanning/7

cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go:49

			case strings.HasPrefix(os.Args[1], "Username"):
				fmt.Println(creds.Username)
			case strings.HasPrefix(os.Args[1], "Password"):
				fmt.Println(creds.Password)
 flows to a logging call.
CodeQL
			default:
				errors.CheckError(fmt.Errorf("unknown credential type '%s'", os.Args[1]))
			}

It's true, this code is printing a password, that's its job. it's a git credential.helper program.

This isn't "logging" a password, it's intentionally "printing" the password.

How does one tell CodeQL that this is intended behavior? Is the only real option to wait for https://github.com/github/codeql/issues/11427?

The help should say:

<p>
Be aware that the purpose of some programs is to print output.
Do not file tickets complaining about programs doing their jobs, it will not win you any warm fuzzies.
</p>

[jsoref]

Maybe the advice should be:

If this is intentional, use fmt.Stringer.String

with an example of how to use it. (I can't tell if that works, but https://github.com/github/codeql/commit/7b903dd0625c53172357b55cdaf3c352cfe7cd2d seems to hint that it might.)