Describe the bug
When running with --taint-intrafile, any static method call named toString (e.g. Arrays.toString(x), Objects.toString(x)) drops taint from its return value. The tainted argument is consumed and the result is treated as clean, causing false negatives in rules that track data flow through such wrappers.
The bug does not occur without --taint-intrafile — the loose intra-procedural analysis correctly follows taint through toString() wrappers.

To Reproduce
Rule (rule.yml):
rules:

• id: test-tostring-taint
  languages: [java]
  mode: taint
  pattern-sources:
  • pattern: "(HttpServletRequest $REQ).getParameterValues(...)"
    pattern-propagators:
  • pattern: "$VAR = $TAINTED"
    from: "$TAINTED"
    to: "$VAR"
    pattern-sinks:
  • pattern: "$LOG.info($STR + ...)"
  • pattern: "$LOG.info(... + $STR)"
    message: tainted data in log
    severity: ERROR

Target (Test.java):
@controller
public class FormController {
public void processForm(HttpServletRequest request) {
String[] values = request.getParameterValues("tags");
logger.info("Form tags: " + Arrays.toString(values));
}
}

Finds 1 result — correct

opengrep --config=rule.yml Test.java

Finds 0 results — BUG

opengrep --config=rule.yml --taint-intrafile Test.java
The bug is triggered by the method name toString alone, regardless of the class:

Arrays.toString(values) → 0 findings ← taint dropped
Objects.toString(values) → 0 findings ← taint dropped
Foo.toString(values) → 0 findings ← taint dropped

values.toString() → 1 finding ← instance method, works fine
String.valueOf(values) → 1 finding ← works fine
Arrays.asList(values) → 1 finding ← works fine

Expected behavior
Arrays.toString(values) should propagate taint to its return value — the sensitive data is fully present in the output string ([tag1, tag2, tag3]). A taint sink matching the logger.info(...) call should be reported.

What is the priority of the bug to you?
P1: important to fix or quite annoying

Environment
Official binary, version 1.15.1, macOS arm64.