C++: Tune SensitiveExprs.qll based on real TP and FP results.

geoffw0 · geoffw0 · commit aabb2fc3a13d · 2021-07-15T14:25:29.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll b/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll
@@ -14,15 +14,12 @@ private predicate suspicious(string s) {
   (
     s.matches("%password%") or
     s.matches("%passwd%") or
-    s.matches("%account%") or
-    s.matches("%accnt%") or
     s.matches("%trusted%")
   ) and
   not (
     s.matches("%hash%") or
     s.matches("%crypt%") or
-    s.matches("%file%") or
-    s.matches("%conf%")
+    s.matches("%file%")
   )
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,6 +1,6 @@
 | test2.cpp:28:2:28:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:28:36:28:43 | password | this source. |
 | test2.cpp:29:2:29:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:29:37:29:45 | thepasswd | this source. |
-| test2.cpp:30:2:30:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:30:38:30:47 | accountkey | this source. |
+| test2.cpp:34:2:34:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:34:41:34:53 | passwd_config | this source. |
 | test2.cpp:40:3:40:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:37:18:37:25 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp
@@ -19,19 +19,19 @@ struct myStruct
 
 	// not sensitive
 	char *password_file;
+
+	// dubious
 	char *passwd_config;
-	
 };
-
 void tests(FILE *log, myStruct &s)
 {
 	fprintf(log, "password = %s\n", s.password); // BAD
 	fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD
-	fprintf(log, "accountkey = %s\n", s.accountkey); // BAD
+	fprintf(log, "accountkey = %s\n", s.accountkey); // DUBIOUS [NOT REPORTED]
 	fprintf(log, "password_hash = %s\n", s.password_hash); // GOOD
 	fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD
 	fprintf(log, "password_file = %s\n", s.password_file); // GOOD
-	fprintf(log, "passwd_config = %s\n", s.passwd_config); // GOOD
+	fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED]
 
 	{
 		char *cpy1 = s.password;

Original file line number	Diff line number	Diff line change
`@@ -14,15 +14,12 @@ private predicate suspicious(string s) {`
`14`	`14`	`(`
`15`	`15`	`s.matches("%password%") or`
`16`	`16`	`s.matches("%passwd%") or`
`17`		`- s.matches("%account%") or`
`18`		`- s.matches("%accnt%") or`
`19`	`17`	`s.matches("%trusted%")`
`20`	`18`	`) and`
`21`	`19`	`not (`
`22`	`20`	`s.matches("%hash%") or`
`23`	`21`	`s.matches("%crypt%") or`
`24`		`- s.matches("%file%") or`
`25`		`- s.matches("%conf%")`
	`22`	`+ s.matches("%file%")`
`26`	`23`	`)`
`27`	`24`	`}`
`28`	`25`