Add Apache Commons Logging and debugv method

luchua-bc · luchua-bc · commit 6d329bce6e37 · 2020-07-03T01:13:11.000Z
diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -31,9 +31,10 @@ class CredentialExpr extends Expr {
 class LoggerType extends RefType {
   LoggerType() {
     this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J
-    this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4J 2
+    this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4j 2
     this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging
-    this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging
+    this.hasQualifiedName("org.jboss.logging", "Logger") or //JBoss Logging
+    this.hasQualifiedName("org.apache.commons.logging", "Log") //Apache Commons Logging
   }
 }
 
@@ -43,7 +44,8 @@ predicate isSensitiveLoggingSink(DataFlow::Node sink) {
     (
       ma.getMethod().hasName("debug") or
       ma.getMethod().hasName("trace") or
-      ma.getMethod().hasName("debugf")
+      ma.getMethod().hasName("debugf") or
+      ma.getMethod().hasName("debugv")
     ) and //Check low priority log levels which are more likely to be real issues to reduce false positives
     sink.asExpr() = ma.getAnArgument()
   )

Original file line number	Diff line number	Diff line change
`@@ -31,9 +31,10 @@ class CredentialExpr extends Expr {`
`31`	`31`	`class LoggerType extends RefType {`
`32`	`32`	`LoggerType() {`
`33`	`33`	`this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J`
`34`		`- this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4J 2`
	`34`	`+ this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4j 2`
`35`	`35`	`this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging`
`36`		`- this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging`
	`36`	`+ this.hasQualifiedName("org.jboss.logging", "Logger") or //JBoss Logging`
	`37`	`+ this.hasQualifiedName("org.apache.commons.logging", "Log") //Apache Commons Logging`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`
`@@ -43,7 +44,8 @@ predicate isSensitiveLoggingSink(DataFlow::Node sink) {`
`43`	`44`	`(`
`44`	`45`	`ma.getMethod().hasName("debug") or`
`45`	`46`	`ma.getMethod().hasName("trace") or`
`46`		`- ma.getMethod().hasName("debugf")`
	`47`	`+ ma.getMethod().hasName("debugf") or`
	`48`	`+ ma.getMethod().hasName("debugv")`
`47`	`49`	`) and //Check low priority log levels which are more likely to be real issues to reduce false positives`
`48`	`50`	`sink.asExpr() = ma.getAnArgument()`
`49`	`51`	`)`