Go: Consider more strings as hardcoded credentials

atorralba · atorralba · commit d8c0ab8e1f2a · 2024-03-14T10:11:39.000+01:00
diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
@@ -37,11 +37,7 @@ module HardcodedCredentials {
 
   /** A hardcoded string literal as a source for hardcoded credentials. */
   private class HardcodedStringSource extends Source {
-    HardcodedStringSource() {
-      exists(StringLit val | this.asExpr() = val |
-        not PasswordHeuristics::isDummyPassword(val.getStringValue())
-      )
-    }
+    HardcodedStringSource() { this.asExpr() instanceof StringLit }
   }
 
   /** A use of a credential. */
diff --git a/go/ql/src/Security/CWE-798/HardcodedCredentials.ql b/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -60,6 +60,6 @@ where
   message = "Hard-coded private key."
   or
   HardcodedCredentials::Flow::flow(source, sink) and
-  type = SensitiveExpr::password() and
-  message = "Hard-coded credential."
+  type = SensitiveExpr::secret() and
+  message = "Hard-coded $@."
 select sink, message, source, type.toString()
