False negatives in anonymous-ldap-bind

[tacu22]

Describe the bug
A clear and concise description of what the bug is and for which rule. Is the rule producing a false positive? Is it incorrect or missing something?

This is for:
https://semgrep.dev/playground/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind
https://semgrep.dev/playground/r/kotlin.lang.security.anonymous-ldap-bind.anonymous-ldap-bind

The current implementation can just handle the simplest data flow:

      $ENV.put($CTX.SECURITY_AUTHENTICATION, "none");
      ...
      $DCTX = new InitialDirContext($ENV, ...);

The rule fails to detect the code where environment setup and context initialization are in separate functions, which is a common pattern in the environment initialization:

	private static Properties getJndiAuthenticationProperties(String bindDn,
					String bindPassword) {
		Properties props = new Properties();

		if (bindDn == null) {
			props.put(Context.SECURITY_AUTHENTICATION, "none");
		} else {
			props.put(Context.SECURITY_AUTHENTICATION, "simple");
			props.put(Context.SECURITY_PRINCIPAL, bindDn);
			props.put(Context.SECURITY_CREDENTIALS, bindPassword);
		}

		return props;
	}
}

Expected behavior
A clear and concise description of what you expected to happen.

In my opinion, it would be better if the rule:

1. Directly flag env.put(Context.SECURITY_AUTHENTICATION, "none") as suspicious, regardless of where env is used.
2. Convert the rule to taint mode to enable cross‑function/file analysis.

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: This will block me in the near future
• P2: annoying but not blocking me