Exclude certificates from being cinsidered sensitive data by cleartext-storage and cleartext-logging queries

joefarebrother · joefarebrother · commit 1cb23e7e8650 · 2024-08-27T14:18:39.000+01:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll
@@ -41,7 +41,8 @@ module CleartextLogging {
    */
   class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
     SensitiveDataSourceAsSource() {
-      not SensitiveDataSource.super.getClassification() = SensitiveDataClassification::id()
+      not SensitiveDataSource.super.getClassification() =
+        [SensitiveDataClassification::id(), SensitiveDataClassification::certificate()]
     }
 
     override SensitiveDataClassification getClassification() {
diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageCustomizations.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageCustomizations.qll
@@ -40,7 +40,8 @@ module CleartextStorage {
    */
   class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
     SensitiveDataSourceAsSource() {
-      not SensitiveDataSource.super.getClassification() = SensitiveDataClassification::id()
+      not SensitiveDataSource.super.getClassification() =
+        [SensitiveDataClassification::id(), SensitiveDataClassification::certificate()]
     }
 
     override SensitiveDataClassification getClassification() {

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,8 @@ module CleartextLogging {`
`41`	`41`	`*/`
`42`	`42`	`class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {`
`43`	`43`	`SensitiveDataSourceAsSource() {`
`44`		`- not SensitiveDataSource.super.getClassification() = SensitiveDataClassification::id()`
	`44`	`+ not SensitiveDataSource.super.getClassification() =`
	`45`	`+ [SensitiveDataClassification::id(), SensitiveDataClassification::certificate()]`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`override SensitiveDataClassification getClassification() {`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,8 @@ module CleartextStorage {`
`40`	`40`	`*/`
`41`	`41`	`class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {`
`42`	`42`	`SensitiveDataSourceAsSource() {`
`43`		`- not SensitiveDataSource.super.getClassification() = SensitiveDataClassification::id()`
	`43`	`+ not SensitiveDataSource.super.getClassification() =`
	`44`	`+ [SensitiveDataClassification::id(), SensitiveDataClassification::certificate()]`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`override SensitiveDataClassification getClassification() {`