Address review comments second round

Author: knewbury01

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md

@@ -4,6 +4,8 @@ If sensitive information is written to a log entry using the CAP Node.js logging
 
 Data that may expose system information such as full path names, system information, usernames and passwords should not be logged.
 
+This query is similar to `js/cap-sensitive-log` in that the sinks are CAP logging facilities. The sources however are the same (exclusively) as the out of the box CodeQL query for [clear text logging](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-logging/).
+
 ## Recommendation
 
 CAP applications should not log sensitive information. Sensitive information can include: full path names, system information, usernames, passwords or any personally identifiable information. Make sure to log only information that is not sensitive, or obfuscate/encrypt sensitive information any time that it is logged.
@@ -19,7 +21,18 @@ const LOG = cds.log("logger");
 class SampleVulnService extends cds.ApplicationService {
     init() {
         LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
-        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+        var obj = {
+            x: password
+        };
+
+        LOG.info(obj); // CAP log exposure alert
+
+        LOG.info(obj.x.replace(/./g, "*")); // NO CAP log exposure alert - replace call acts as sanitizer 
+
+        var user = {
+            password: encryptLib.encryptPassword(password)
+        };
+        LOG.info(user); // NO CAP log exposure alert - the data is encrypted
     }
 }
 ```