Description
Description of the false-positive
It looks like the query language is connecting sources and sinks through a type checking system that is interpreting methods like Object::toString when called on Object when at runtime that type will be String to be the same as MyCustomType::toString.
URL to the alert on the project page on LGTM.com
https://lgtm.com/projects/g/spring-projects/spring-framework/snapshot/a21fcec7555409e8859aba85fb2fe95d53760f80/files/spring-web/src/main/java/org/springframework/web/context/support/HttpRequestHandlerServlet.java?sort=name&dir=ASC&mode=heatmap#xe877feaabe7d1240:1
Analysis
QL Correctly identifies a source of user-supplied data and correctly tracks it to a place where it is used in the toString method.
Now we have some arbitrary location in the codebase where toString is called on Object.
Now we see where those code paths allow this toString value to be returned up the stack.
Now we get to the sink location. However, we see that StringUtils.arrayToDelimitedString is being passed a String[] not a ServletWebRequest that would mean this was indeed a vulnerability.
TL;DR: Looks like a type confusion issue? Or perhaps there's no logic for detecting the true type that toString will be called on.