Merge pull request #15480 from ockers/ockers/certification_not_certificate

False positive in SensitiveDataHeuristics - exclude certification from maybeCertificate() regex

Author: erik-krogh

javascript/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

python/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

ruby/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence

swift/ql/lib/change-notes/2024-01-30-certification_not_certificate.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.

swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll

@@ -75,7 +75,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of
    * a certificate.
    */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence