Swift: Fix the test regression.

geoffw0 · geoffw0 · commit a4e9d38abb71 · 2023-03-22T16:44:29.000Z
diff --git a/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql b/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
@@ -33,15 +33,15 @@ class ConstantPasswordSink extends Expr {
   ConstantPasswordSink() {
     // `password` arg in `init` is a sink
     exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
-      c.getFullName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel("password").getExpr() = this
     )
     or
     // RNCryptor (labelled arguments)
     exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() = this
diff --git a/swift/ql/src/queries/Security/CWE-760/ConstantSalt.ql b/swift/ql/src/queries/Security/CWE-760/ConstantSalt.ql
@@ -34,15 +34,15 @@ class ConstantSaltSink extends Expr {
   ConstantSaltSink() {
     // `salt` arg in `init` is a sink
     exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
-      c.getFullName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel("salt").getExpr() = this
     )
     or
     // RNCryptor
     exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() = this
diff --git a/swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql b/swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql
@@ -34,7 +34,7 @@ class InsufficientHashIterationsSink extends Expr {
   InsufficientHashIterationsSink() {
     // `iterations` arg in `init` is a sink
     exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
-      c.getFullName() = ["PBKDF1", "PBKDF2"] and
+      c.getName() = ["PBKDF1", "PBKDF2"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel("iterations").getExpr() = this
diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected
@@ -18,6 +18,8 @@ edges
 | rncryptor.swift:69:24:69:24 | abc123 :  | rncryptor.swift:107:61:107:61 | myConstPassword |
 | rncryptor.swift:69:24:69:24 | abc123 :  | rncryptor.swift:108:97:108:97 | myConstPassword |
 | test.swift:43:39:43:134 | [...] :  | test.swift:51:30:51:30 | constantPassword |
+| test.swift:43:39:43:134 | [...] :  | test.swift:56:40:56:40 | constantPassword |
+| test.swift:43:39:43:134 | [...] :  | test.swift:62:40:62:40 | constantPassword |
 | test.swift:43:39:43:134 | [...] :  | test.swift:67:34:67:34 | constantPassword |
 nodes
 | rncryptor.swift:69:24:69:24 | abc123 :  | semmle.label | abc123 :  |
@@ -41,6 +43,8 @@ nodes
 | rncryptor.swift:108:97:108:97 | myConstPassword | semmle.label | myConstPassword |
 | test.swift:43:39:43:134 | [...] :  | semmle.label | [...] :  |
 | test.swift:51:30:51:30 | constantPassword | semmle.label | constantPassword |
+| test.swift:56:40:56:40 | constantPassword | semmle.label | constantPassword |
+| test.swift:62:40:62:40 | constantPassword | semmle.label | constantPassword |
 | test.swift:67:34:67:34 | constantPassword | semmle.label | constantPassword |
 subpaths
 #select
@@ -63,4 +67,6 @@ subpaths
 | rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 :  | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. |
 | rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 :  | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. |
 | test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] :  | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] :  | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] :  | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. |
 | test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] :  | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. |
diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected
@@ -15,6 +15,8 @@ edges
 | rncryptor.swift:60:29:60:29 | 0 :  | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) :  |
 | rncryptor.swift:60:29:60:29 | 0 :  | rncryptor.swift:60:24:60:30 | call to Data.init(_:) :  |
 | test.swift:43:35:43:130 | [...] :  | test.swift:51:49:51:49 | constantSalt |
+| test.swift:43:35:43:130 | [...] :  | test.swift:56:59:56:59 | constantSalt |
+| test.swift:43:35:43:130 | [...] :  | test.swift:62:59:62:59 | constantSalt |
 | test.swift:43:35:43:130 | [...] :  | test.swift:67:53:67:53 | constantSalt |
 nodes
 | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) :  | semmle.label | [summary] to write: return (return) in Data.init(_:) :  |
@@ -35,6 +37,8 @@ nodes
 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | semmle.label | myConstantSalt2 |
 | test.swift:43:35:43:130 | [...] :  | semmle.label | [...] :  |
 | test.swift:51:49:51:49 | constantSalt | semmle.label | constantSalt |
+| test.swift:56:59:56:59 | constantSalt | semmle.label | constantSalt |
+| test.swift:62:59:62:59 | constantSalt | semmle.label | constantSalt |
 | test.swift:67:53:67:53 | constantSalt | semmle.label | constantSalt |
 subpaths
 | rncryptor.swift:59:29:59:29 | abcdef123456 :  | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) :  | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) :  | rncryptor.swift:59:24:59:43 | call to Data.init(_:) :  |
@@ -51,4 +55,6 @@ subpaths
 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 :  | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 :  | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value '0' is used as a constant salt, which is insecure for hashing passwords. |
 | test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] :  | test.swift:51:49:51:49 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
+| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] :  | test.swift:56:59:56:59 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
+| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] :  | test.swift:62:59:62:59 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
 | test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] :  | test.swift:67:53:67:53 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
diff --git a/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected b/swift/ql/test/query-tests/Security/CWE-916/InsufficientHashIterations.expected
@@ -1,4 +1,17 @@
 edges
+| test.swift:20:45:20:45 | 99999 :  | test.swift:33:22:33:43 | call to getLowIterationCount() :  |
+| test.swift:33:22:33:43 | call to getLowIterationCount() :  | test.swift:37:84:37:84 | lowIterations |
+| test.swift:33:22:33:43 | call to getLowIterationCount() :  | test.swift:44:84:44:84 | lowIterations |
 nodes
+| test.swift:20:45:20:45 | 99999 :  | semmle.label | 99999 :  |
+| test.swift:33:22:33:43 | call to getLowIterationCount() :  | semmle.label | call to getLowIterationCount() :  |
+| test.swift:37:84:37:84 | lowIterations | semmle.label | lowIterations |
+| test.swift:38:84:38:84 | 80000 | semmle.label | 80000 |
+| test.swift:44:84:44:84 | lowIterations | semmle.label | lowIterations |
+| test.swift:45:84:45:84 | 80000 | semmle.label | 80000 |
 subpaths
 #select
+| test.swift:37:84:37:84 | lowIterations | test.swift:20:45:20:45 | 99999 :  | test.swift:37:84:37:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. |
+| test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | test.swift:38:84:38:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. |
+| test.swift:44:84:44:84 | lowIterations | test.swift:20:45:20:45 | 99999 :  | test.swift:44:84:44:84 | lowIterations | The value '99999' is an insufficient number of iterations for secure password hashing. |
+| test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | test.swift:45:84:45:84 | 80000 | The value '80000' is an insufficient number of iterations for secure password hashing. |
