Rust: Improve alert messages.

geoffw0 · geoffw0 · commit aacbfc0fd88a · 2025-03-06T17:48:41.000Z
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -8,6 +8,26 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.internal.DataFlowImpl
 private import codeql.rust.security.SensitiveData
 
+/**
+ * A kind of cryptographic value.
+ */
+class CryptographicValueKind extends string {
+  CryptographicValueKind() { this = ["password", "key", "iv", "salt"] }
+
+  /**
+   * Gets a description of this value kind for user-facing messages.
+   */
+  string getDescription() {
+    this = "password" and result = "a password"
+    or
+    this = "key" and result = "a key"
+    or
+    this = "iv" and result = "an initialization vector"
+    or
+    this = "salt" and result = "a salt"
+  }
+}
+
 /**
  * Provides default sources, sinks and barriers for detecting hardcoded cryptographic
  * value vulnerabilities, as well as extension points for adding your own.
@@ -23,10 +43,9 @@ module HardcodedCryptographicValue {
    */
   abstract class Sink extends DataFlow::Node {
     /**
-     * Gets the kind of credential this sink is interpreted as,
-     * for example "password", "key", "iv", "salt".
+     * Gets the kind of credential this sink is interpreted as.
      */
-    abstract string getKind();
+    abstract CryptographicValueKind getKind();
   }
 
   /**
@@ -45,13 +64,10 @@ module HardcodedCryptographicValue {
    * A sink for hardcoded cryptographic value from model data.
    */
   private class ModelsAsDataSinks extends Sink {
-    string kind;
+    CryptographicValueKind kind;
 
-    ModelsAsDataSinks() {
-      kind = ["password", "key", "iv", "salt"] and
-      sinkNode(this, "credentials-" + kind)
-    }
+    ModelsAsDataSinks() { sinkNode(this, "credentials-" + kind) }
 
-    override string getKind() { result = kind }
+    override CryptographicValueKind getKind() { result = kind }
   }
 }
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
@@ -47,4 +47,4 @@ from
   HardcodedCryptographicValueFlow::PathNode source, HardcodedCryptographicValueFlow::PathNode sink
 where HardcodedCryptographicValueFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "This hard-coded value is used as $@.", sink,
-  sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind()
+  sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind().getDescription()
diff --git a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -1,40 +1,40 @@
 #select
-| test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:19:30:19:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:19:30:19:47 | ...::new | key |
-| test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:26:30:26:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:26:30:26:40 | ...::new | key |
-| test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:30:30:30:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:30:30:30:40 | ...::new | iv |
-| test_cipher.rs:37:28:37:28 | 0 | test_cipher.rs:37:28:37:28 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:31:37:31 | 0 | test_cipher.rs:37:31:37:31 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:34:37:34 | 0 | test_cipher.rs:37:34:37:34 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:37:37:37 | 0 | test_cipher.rs:37:37:37:37 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:40:37:40 | 0 | test_cipher.rs:37:40:37:40 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:43:37:43 | 0 | test_cipher.rs:37:43:37:43 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:46:37:46 | 0 | test_cipher.rs:37:46:37:46 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:49:37:49 | 0 | test_cipher.rs:37:49:37:49 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:52:37:52 | 0 | test_cipher.rs:37:52:37:52 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:55:37:55 | 0 | test_cipher.rs:37:55:37:55 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:58:37:58 | 0 | test_cipher.rs:37:58:37:58 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:61:37:61 | 0 | test_cipher.rs:37:61:37:61 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:64:37:64 | 0 | test_cipher.rs:37:64:37:64 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:67:37:67 | 0 | test_cipher.rs:37:67:37:67 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:70:37:70 | 0 | test_cipher.rs:37:70:37:70 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:37:73:37:73 | 0 | test_cipher.rs:37:73:37:73 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | key |
-| test_cipher.rs:41:30:41:30 | 0 | test_cipher.rs:41:30:41:30 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:33:41:33 | 0 | test_cipher.rs:41:33:41:33 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:36:41:36 | 0 | test_cipher.rs:41:36:41:36 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:39:41:39 | 0 | test_cipher.rs:41:39:41:39 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:42:41:42 | 0 | test_cipher.rs:41:42:41:42 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:45:41:45 | 0 | test_cipher.rs:41:45:41:45 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:48:41:48 | 0 | test_cipher.rs:41:48:41:48 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:51:41:51 | 0 | test_cipher.rs:41:51:41:51 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:54:41:54 | 0 | test_cipher.rs:41:54:41:54 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:57:41:57 | 0 | test_cipher.rs:41:57:41:57 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:60:41:60 | 0 | test_cipher.rs:41:60:41:60 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:63:41:63 | 0 | test_cipher.rs:41:63:41:63 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:66:41:66 | 0 | test_cipher.rs:41:66:41:66 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:69:41:69 | 0 | test_cipher.rs:41:69:41:69 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:72:41:72 | 0 | test_cipher.rs:41:72:41:72 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:41:75:41:75 | 0 | test_cipher.rs:41:75:41:75 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | key |
-| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | key |
+| test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:18:30:18:32 | 0u8 | test_cipher.rs:19:30:19:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:19:30:19:47 | ...::new | a key |
+| test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:25:30:25:32 | 0u8 | test_cipher.rs:26:30:26:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:26:30:26:40 | ...::new | a key |
+| test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:29:30:29:32 | 0u8 | test_cipher.rs:30:30:30:40 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:30:30:30:40 | ...::new | an initialization vector |
+| test_cipher.rs:37:28:37:28 | 0 | test_cipher.rs:37:28:37:28 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:31:37:31 | 0 | test_cipher.rs:37:31:37:31 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:34:37:34 | 0 | test_cipher.rs:37:34:37:34 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:37:37:37 | 0 | test_cipher.rs:37:37:37:37 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:40:37:40 | 0 | test_cipher.rs:37:40:37:40 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:43:37:43 | 0 | test_cipher.rs:37:43:37:43 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:46:37:46 | 0 | test_cipher.rs:37:46:37:46 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:49:37:49 | 0 | test_cipher.rs:37:49:37:49 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:52:37:52 | 0 | test_cipher.rs:37:52:37:52 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:55:37:55 | 0 | test_cipher.rs:37:55:37:55 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:58:37:58 | 0 | test_cipher.rs:37:58:37:58 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:61:37:61 | 0 | test_cipher.rs:37:61:37:61 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:64:37:64 | 0 | test_cipher.rs:37:64:37:64 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:67:37:67 | 0 | test_cipher.rs:37:67:37:67 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:70:37:70 | 0 | test_cipher.rs:37:70:37:70 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:37:73:37:73 | 0 | test_cipher.rs:37:73:37:73 | 0 | test_cipher.rs:38:30:38:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:38:30:38:47 | ...::new | a key |
+| test_cipher.rs:41:30:41:30 | 0 | test_cipher.rs:41:30:41:30 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:33:41:33 | 0 | test_cipher.rs:41:33:41:33 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:36:41:36 | 0 | test_cipher.rs:41:36:41:36 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:39:41:39 | 0 | test_cipher.rs:41:39:41:39 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:42:41:42 | 0 | test_cipher.rs:41:42:41:42 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:45:41:45 | 0 | test_cipher.rs:41:45:41:45 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:48:41:48 | 0 | test_cipher.rs:41:48:41:48 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:51:41:51 | 0 | test_cipher.rs:41:51:41:51 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:54:41:54 | 0 | test_cipher.rs:41:54:41:54 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:57:41:57 | 0 | test_cipher.rs:41:57:41:57 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:60:41:60 | 0 | test_cipher.rs:41:60:41:60 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:63:41:63 | 0 | test_cipher.rs:41:63:41:63 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:66:41:66 | 0 | test_cipher.rs:41:66:41:66 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:69:41:69 | 0 | test_cipher.rs:41:69:41:69 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:72:41:72 | 0 | test_cipher.rs:41:72:41:72 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:41:75:41:75 | 0 | test_cipher.rs:41:75:41:75 | 0 | test_cipher.rs:42:30:42:47 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:42:30:42:47 | ...::new | a key |
+| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | a key |
 edges
 | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | test_cipher.rs:19:73:19:78 | const1 [&ref, element] | provenance |  |
 | test_cipher.rs:18:28:18:36 | &... [&ref, element] | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | provenance |  |
