Make cleartext logging tests more realistic

owen-mc · owen-mc · commit 646d28feeba9 · 2025-03-20T15:08:00.000Z
diff --git a/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -1,35 +1,35 @@
 #select
 | klog.go:23:15:23:20 | header | klog.go:21:30:21:37 | selection of Header | klog.go:23:15:23:20 | header | $@ flows to a logging call. | klog.go:21:30:21:37 | selection of Header | Sensitive data returned by HTTP request headers |
 | klog.go:29:13:29:41 | call to Get | klog.go:29:13:29:20 | selection of Header | klog.go:29:13:29:41 | call to Get | $@ flows to a logging call. | klog.go:29:13:29:20 | selection of Header | Sensitive data returned by HTTP request headers |
-| main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | main.go:15:12:15:19 | password | $@ flows to a logging call. | main.go:15:12:15:19 | password | Sensitive data returned by an access to password |
-| main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | main.go:16:17:16:24 | password | $@ flows to a logging call. | main.go:16:17:16:24 | password | Sensitive data returned by an access to password |
-| main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | main.go:17:13:17:20 | password | $@ flows to a logging call. | main.go:17:13:17:20 | password | Sensitive data returned by an access to password |
-| main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | main.go:18:14:18:21 | password | $@ flows to a logging call. | main.go:18:14:18:21 | password | Sensitive data returned by an access to password |
-| main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | main.go:19:12:19:19 | password | $@ flows to a logging call. | main.go:19:12:19:19 | password | Sensitive data returned by an access to password |
-| main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | main.go:20:17:20:24 | password | $@ flows to a logging call. | main.go:20:17:20:24 | password | Sensitive data returned by an access to password |
-| main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | main.go:21:13:21:20 | password | $@ flows to a logging call. | main.go:21:13:21:20 | password | Sensitive data returned by an access to password |
-| main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | main.go:22:14:22:21 | password | $@ flows to a logging call. | main.go:22:14:22:21 | password | Sensitive data returned by an access to password |
-| main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | main.go:23:12:23:19 | password | $@ flows to a logging call. | main.go:23:12:23:19 | password | Sensitive data returned by an access to password |
-| main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | main.go:24:17:24:24 | password | $@ flows to a logging call. | main.go:24:17:24:24 | password | Sensitive data returned by an access to password |
-| main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | main.go:25:13:25:20 | password | $@ flows to a logging call. | main.go:25:13:25:20 | password | Sensitive data returned by an access to password |
-| main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | main.go:26:14:26:21 | password | $@ flows to a logging call. | main.go:26:14:26:21 | password | Sensitive data returned by an access to password |
-| main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | main.go:27:16:27:23 | password | $@ flows to a logging call. | main.go:27:16:27:23 | password | Sensitive data returned by an access to password |
-| main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | main.go:30:10:30:17 | password | $@ flows to a logging call. | main.go:30:10:30:17 | password | Sensitive data returned by an access to password |
-| main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | main.go:31:15:31:22 | password | $@ flows to a logging call. | main.go:31:15:31:22 | password | Sensitive data returned by an access to password |
-| main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | main.go:32:11:32:18 | password | $@ flows to a logging call. | main.go:32:11:32:18 | password | Sensitive data returned by an access to password |
-| main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | main.go:33:12:33:19 | password | $@ flows to a logging call. | main.go:33:12:33:19 | password | Sensitive data returned by an access to password |
-| main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | main.go:34:10:34:17 | password | $@ flows to a logging call. | main.go:34:10:34:17 | password | Sensitive data returned by an access to password |
-| main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | main.go:35:15:35:22 | password | $@ flows to a logging call. | main.go:35:15:35:22 | password | Sensitive data returned by an access to password |
-| main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | main.go:36:11:36:18 | password | $@ flows to a logging call. | main.go:36:11:36:18 | password | Sensitive data returned by an access to password |
-| main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | main.go:37:12:37:19 | password | $@ flows to a logging call. | main.go:37:12:37:19 | password | Sensitive data returned by an access to password |
-| main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | main.go:38:10:38:17 | password | $@ flows to a logging call. | main.go:38:10:38:17 | password | Sensitive data returned by an access to password |
-| main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | main.go:39:15:39:22 | password | $@ flows to a logging call. | main.go:39:15:39:22 | password | Sensitive data returned by an access to password |
-| main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | main.go:40:11:40:18 | password | $@ flows to a logging call. | main.go:40:11:40:18 | password | Sensitive data returned by an access to password |
-| main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | main.go:41:12:41:19 | password | $@ flows to a logging call. | main.go:41:12:41:19 | password | Sensitive data returned by an access to password |
-| main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | main.go:42:14:42:21 | password | $@ flows to a logging call. | main.go:42:14:42:21 | password | Sensitive data returned by an access to password |
-| main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | main.go:44:12:44:19 | password | $@ flows to a logging call. | main.go:44:12:44:19 | password | Sensitive data returned by an access to password |
-| main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | main.go:45:17:45:24 | password | $@ flows to a logging call. | main.go:45:17:45:24 | password | Sensitive data returned by an access to password |
-| main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | main.go:52:35:52:42 | password | $@ flows to a logging call. | main.go:52:35:52:42 | password | Sensitive data returned by an access to password |
+| main.go:16:12:16:19 | password | main.go:16:12:16:19 | password | main.go:16:12:16:19 | password | $@ flows to a logging call. | main.go:16:12:16:19 | password | Sensitive data returned by an access to password |
+| main.go:17:19:17:26 | password | main.go:17:19:17:26 | password | main.go:17:19:17:26 | password | $@ flows to a logging call. | main.go:17:19:17:26 | password | Sensitive data returned by an access to password |
+| main.go:18:13:18:20 | password | main.go:18:13:18:20 | password | main.go:18:13:18:20 | password | $@ flows to a logging call. | main.go:18:13:18:20 | password | Sensitive data returned by an access to password |
+| main.go:19:14:19:21 | password | main.go:19:14:19:21 | password | main.go:19:14:19:21 | password | $@ flows to a logging call. | main.go:19:14:19:21 | password | Sensitive data returned by an access to password |
+| main.go:20:12:20:19 | password | main.go:20:12:20:19 | password | main.go:20:12:20:19 | password | $@ flows to a logging call. | main.go:20:12:20:19 | password | Sensitive data returned by an access to password |
+| main.go:21:19:21:26 | password | main.go:21:19:21:26 | password | main.go:21:19:21:26 | password | $@ flows to a logging call. | main.go:21:19:21:26 | password | Sensitive data returned by an access to password |
+| main.go:22:13:22:20 | password | main.go:22:13:22:20 | password | main.go:22:13:22:20 | password | $@ flows to a logging call. | main.go:22:13:22:20 | password | Sensitive data returned by an access to password |
+| main.go:23:14:23:21 | password | main.go:23:14:23:21 | password | main.go:23:14:23:21 | password | $@ flows to a logging call. | main.go:23:14:23:21 | password | Sensitive data returned by an access to password |
+| main.go:24:12:24:19 | password | main.go:24:12:24:19 | password | main.go:24:12:24:19 | password | $@ flows to a logging call. | main.go:24:12:24:19 | password | Sensitive data returned by an access to password |
+| main.go:25:19:25:26 | password | main.go:25:19:25:26 | password | main.go:25:19:25:26 | password | $@ flows to a logging call. | main.go:25:19:25:26 | password | Sensitive data returned by an access to password |
+| main.go:26:13:26:20 | password | main.go:26:13:26:20 | password | main.go:26:13:26:20 | password | $@ flows to a logging call. | main.go:26:13:26:20 | password | Sensitive data returned by an access to password |
+| main.go:27:14:27:21 | password | main.go:27:14:27:21 | password | main.go:27:14:27:21 | password | $@ flows to a logging call. | main.go:27:14:27:21 | password | Sensitive data returned by an access to password |
+| main.go:28:16:28:23 | password | main.go:28:16:28:23 | password | main.go:28:16:28:23 | password | $@ flows to a logging call. | main.go:28:16:28:23 | password | Sensitive data returned by an access to password |
+| main.go:31:10:31:17 | password | main.go:31:10:31:17 | password | main.go:31:10:31:17 | password | $@ flows to a logging call. | main.go:31:10:31:17 | password | Sensitive data returned by an access to password |
+| main.go:32:17:32:24 | password | main.go:32:17:32:24 | password | main.go:32:17:32:24 | password | $@ flows to a logging call. | main.go:32:17:32:24 | password | Sensitive data returned by an access to password |
+| main.go:33:11:33:18 | password | main.go:33:11:33:18 | password | main.go:33:11:33:18 | password | $@ flows to a logging call. | main.go:33:11:33:18 | password | Sensitive data returned by an access to password |
+| main.go:34:12:34:19 | password | main.go:34:12:34:19 | password | main.go:34:12:34:19 | password | $@ flows to a logging call. | main.go:34:12:34:19 | password | Sensitive data returned by an access to password |
+| main.go:35:10:35:17 | password | main.go:35:10:35:17 | password | main.go:35:10:35:17 | password | $@ flows to a logging call. | main.go:35:10:35:17 | password | Sensitive data returned by an access to password |
+| main.go:36:17:36:24 | password | main.go:36:17:36:24 | password | main.go:36:17:36:24 | password | $@ flows to a logging call. | main.go:36:17:36:24 | password | Sensitive data returned by an access to password |
+| main.go:37:11:37:18 | password | main.go:37:11:37:18 | password | main.go:37:11:37:18 | password | $@ flows to a logging call. | main.go:37:11:37:18 | password | Sensitive data returned by an access to password |
+| main.go:38:12:38:19 | password | main.go:38:12:38:19 | password | main.go:38:12:38:19 | password | $@ flows to a logging call. | main.go:38:12:38:19 | password | Sensitive data returned by an access to password |
+| main.go:39:10:39:17 | password | main.go:39:10:39:17 | password | main.go:39:10:39:17 | password | $@ flows to a logging call. | main.go:39:10:39:17 | password | Sensitive data returned by an access to password |
+| main.go:40:17:40:24 | password | main.go:40:17:40:24 | password | main.go:40:17:40:24 | password | $@ flows to a logging call. | main.go:40:17:40:24 | password | Sensitive data returned by an access to password |
+| main.go:41:11:41:18 | password | main.go:41:11:41:18 | password | main.go:41:11:41:18 | password | $@ flows to a logging call. | main.go:41:11:41:18 | password | Sensitive data returned by an access to password |
+| main.go:42:12:42:19 | password | main.go:42:12:42:19 | password | main.go:42:12:42:19 | password | $@ flows to a logging call. | main.go:42:12:42:19 | password | Sensitive data returned by an access to password |
+| main.go:43:14:43:21 | password | main.go:43:14:43:21 | password | main.go:43:14:43:21 | password | $@ flows to a logging call. | main.go:43:14:43:21 | password | Sensitive data returned by an access to password |
+| main.go:45:12:45:19 | password | main.go:45:12:45:19 | password | main.go:45:12:45:19 | password | $@ flows to a logging call. | main.go:45:12:45:19 | password | Sensitive data returned by an access to password |
+| main.go:46:17:46:24 | password | main.go:46:17:46:24 | password | main.go:46:17:46:24 | password | $@ flows to a logging call. | main.go:46:17:46:24 | password | Sensitive data returned by an access to password |
+| main.go:53:35:53:42 | password | main.go:53:35:53:42 | password | main.go:53:35:53:42 | password | $@ flows to a logging call. | main.go:53:35:53:42 | password | Sensitive data returned by an access to password |
 | overrides.go:13:14:13:23 | call to String | overrides.go:9:9:9:16 | password | overrides.go:13:14:13:23 | call to String | $@ flows to a logging call. | overrides.go:9:9:9:16 | password | Sensitive data returned by an access to password |
 | passwords.go:9:14:9:14 | x | passwords.go:30:8:30:15 | password | passwords.go:9:14:9:14 | x | $@ flows to a logging call. | passwords.go:30:8:30:15 | password | Sensitive data returned by an access to password |
 | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | passwords.go:25:14:25:21 | password | $@ flows to a logging call. | passwords.go:25:14:25:21 | password | Sensitive data returned by an access to password |
@@ -108,35 +108,35 @@ nodes
 | klog.go:23:15:23:20 | header | semmle.label | header |
 | klog.go:29:13:29:20 | selection of Header | semmle.label | selection of Header |
 | klog.go:29:13:29:41 | call to Get | semmle.label | call to Get |
-| main.go:15:12:15:19 | password | semmle.label | password |
-| main.go:16:17:16:24 | password | semmle.label | password |
-| main.go:17:13:17:20 | password | semmle.label | password |
-| main.go:18:14:18:21 | password | semmle.label | password |
-| main.go:19:12:19:19 | password | semmle.label | password |
-| main.go:20:17:20:24 | password | semmle.label | password |
-| main.go:21:13:21:20 | password | semmle.label | password |
-| main.go:22:14:22:21 | password | semmle.label | password |
-| main.go:23:12:23:19 | password | semmle.label | password |
-| main.go:24:17:24:24 | password | semmle.label | password |
-| main.go:25:13:25:20 | password | semmle.label | password |
-| main.go:26:14:26:21 | password | semmle.label | password |
-| main.go:27:16:27:23 | password | semmle.label | password |
-| main.go:30:10:30:17 | password | semmle.label | password |
-| main.go:31:15:31:22 | password | semmle.label | password |
-| main.go:32:11:32:18 | password | semmle.label | password |
-| main.go:33:12:33:19 | password | semmle.label | password |
-| main.go:34:10:34:17 | password | semmle.label | password |
-| main.go:35:15:35:22 | password | semmle.label | password |
-| main.go:36:11:36:18 | password | semmle.label | password |
-| main.go:37:12:37:19 | password | semmle.label | password |
-| main.go:38:10:38:17 | password | semmle.label | password |
-| main.go:39:15:39:22 | password | semmle.label | password |
-| main.go:40:11:40:18 | password | semmle.label | password |
-| main.go:41:12:41:19 | password | semmle.label | password |
-| main.go:42:14:42:21 | password | semmle.label | password |
-| main.go:44:12:44:19 | password | semmle.label | password |
-| main.go:45:17:45:24 | password | semmle.label | password |
-| main.go:52:35:52:42 | password | semmle.label | password |
+| main.go:16:12:16:19 | password | semmle.label | password |
+| main.go:17:19:17:26 | password | semmle.label | password |
+| main.go:18:13:18:20 | password | semmle.label | password |
+| main.go:19:14:19:21 | password | semmle.label | password |
+| main.go:20:12:20:19 | password | semmle.label | password |
+| main.go:21:19:21:26 | password | semmle.label | password |
+| main.go:22:13:22:20 | password | semmle.label | password |
+| main.go:23:14:23:21 | password | semmle.label | password |
+| main.go:24:12:24:19 | password | semmle.label | password |
+| main.go:25:19:25:26 | password | semmle.label | password |
+| main.go:26:13:26:20 | password | semmle.label | password |
+| main.go:27:14:27:21 | password | semmle.label | password |
+| main.go:28:16:28:23 | password | semmle.label | password |
+| main.go:31:10:31:17 | password | semmle.label | password |
+| main.go:32:17:32:24 | password | semmle.label | password |
+| main.go:33:11:33:18 | password | semmle.label | password |
+| main.go:34:12:34:19 | password | semmle.label | password |
+| main.go:35:10:35:17 | password | semmle.label | password |
+| main.go:36:17:36:24 | password | semmle.label | password |
+| main.go:37:11:37:18 | password | semmle.label | password |
+| main.go:38:12:38:19 | password | semmle.label | password |
+| main.go:39:10:39:17 | password | semmle.label | password |
+| main.go:40:17:40:24 | password | semmle.label | password |
+| main.go:41:11:41:18 | password | semmle.label | password |
+| main.go:42:12:42:19 | password | semmle.label | password |
+| main.go:43:14:43:21 | password | semmle.label | password |
+| main.go:45:12:45:19 | password | semmle.label | password |
+| main.go:46:17:46:24 | password | semmle.label | password |
+| main.go:53:35:53:42 | password | semmle.label | password |
 | overrides.go:9:9:9:16 | password | semmle.label | password |
 | overrides.go:13:14:13:23 | call to String | semmle.label | call to String |
 | passwords.go:8:12:8:12 | definition of x | semmle.label | definition of x |
diff --git a/go/ql/test/query-tests/Security/CWE-312/main.go b/go/ql/test/query-tests/Security/CWE-312/main.go
@@ -4,42 +4,43 @@ package main
 //go:generate depstubber -vendor github.com/golang/glog "" Info
 
 import (
+	"log"
+
 	"github.com/golang/glog"
 	"github.com/sirupsen/logrus"
-	"log"
 )
 
 func main() {
 	password := "P4ssw0rd"
 
-	log.Print(password)      // $ Alert
-	log.Printf("", password) // $ Alert
-	log.Printf(password, "") // $ Alert
-	log.Println(password)    // $ Alert
-	log.Fatal(password)      // $ Alert
-	log.Fatalf("", password) // $ Alert
-	log.Fatalf(password, "") // $ Alert
-	log.Fatalln(password)    // $ Alert
-	log.Panic(password)      // $ Alert
-	log.Panicf("", password) // $ Alert
-	log.Panicf(password, "") // $ Alert
-	log.Panicln(password)    // $ Alert
-	log.Output(0, password)  // $ Alert
+	log.Print(password)        // $ Alert
+	log.Printf("%s", password) // $ Alert
+	log.Printf(password, "")   // $ Alert
+	log.Println(password)      // $ Alert
+	log.Fatal(password)        // $ Alert
+	log.Fatalf("%s", password) // $ Alert
+	log.Fatalf(password, "")   // $ Alert
+	log.Fatalln(password)      // $ Alert
+	log.Panic(password)        // $ Alert
+	log.Panicf("%s", password) // $ Alert
+	log.Panicf(password, "")   // $ Alert
+	log.Panicln(password)      // $ Alert
+	log.Output(0, password)    // $ Alert
 
 	l := log.Default()
-	l.Print(password)      // $ Alert
-	l.Printf("", password) // $ Alert
-	l.Printf(password, "") // $ Alert
-	l.Println(password)    // $ Alert
-	l.Fatal(password)      // $ Alert
-	l.Fatalf("", password) // $ Alert
-	l.Fatalf(password, "") // $ Alert
-	l.Fatalln(password)    // $ Alert
-	l.Panic(password)      // $ Alert
-	l.Panicf("", password) // $ Alert
-	l.Panicf(password, "") // $ Alert
-	l.Panicln(password)    // $ Alert
-	l.Output(0, password)  // $ Alert
+	l.Print(password)        // $ Alert
+	l.Printf("%s", password) // $ Alert
+	l.Printf(password, "")   // $ Alert
+	l.Println(password)      // $ Alert
+	l.Fatal(password)        // $ Alert
+	l.Fatalf("%s", password) // $ Alert
+	l.Fatalf(password, "")   // $ Alert
+	l.Fatalln(password)      // $ Alert
+	l.Panic(password)        // $ Alert
+	l.Panicf("%s", password) // $ Alert
+	l.Panicf(password, "")   // $ Alert
+	l.Panicln(password)      // $ Alert
+	l.Output(0, password)    // $ Alert
 
 	glog.Info(password)      // $ Alert
 	logrus.Warning(password) // $ Alert
