C++: Exclude integral types from SensitiveExprs.

geoffw0 · geoffw0 · commit e5e8a1b781f8 · 2021-07-15T14:44:14.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll b/cpp/ql/src/semmle/code/cpp/security/SensitiveExprs.qll
@@ -27,14 +27,20 @@ private predicate suspicious(string s) {
  * A variable that might contain a password or other sensitive information.
  */
 class SensitiveVariable extends Variable {
-  SensitiveVariable() { suspicious(getName().toLowerCase()) }
+  SensitiveVariable() {
+    suspicious(getName().toLowerCase()) and
+    not this.getUnspecifiedType() instanceof IntegralType
+  }
 }
 
 /**
  * A function that might return a password or other sensitive information.
  */
 class SensitiveFunction extends Function {
-  SensitiveFunction() { suspicious(getName().toLowerCase()) }
+  SensitiveFunction() {
+    suspicious(getName().toLowerCase()) and
+    not this.getUnspecifiedType() instanceof IntegralType
+  }
 }
 
 /**
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,10 +1,7 @@
 | test2.cpp:35:2:35:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:35:36:35:43 | password | this source. |
 | test2.cpp:36:2:36:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:36:37:36:45 | thepasswd | this source. |
 | test2.cpp:41:2:41:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:41:41:41:53 | passwd_config | this source. |
-| test2.cpp:42:2:42:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:42:41:42:53 | num_passwords | this source. |
-| test2.cpp:43:2:43:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:43:39:43:49 | have_passwd | this source. |
 | test2.cpp:45:2:45:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:45:39:45:49 | call to getPassword | this source. |
-| test2.cpp:47:2:47:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:47:47:47:65 | call to getPasswordMaxChars | this source. |
 | test2.cpp:53:3:53:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:50:18:50:25 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp
@@ -39,12 +39,12 @@ void tests(FILE *log, myStruct &s)
 	fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD
 	fprintf(log, "password_file = %s\n", s.password_file); // GOOD
 	fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED]
-	fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD [FALSE POSITIVE]
-	fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD [FALSE POSITIVE]
+	fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD
+	fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD
 
 	fprintf(log, "getPassword() = %i\n", getPassword()); // BAD
 	fprintf(log, "getPasswordHash() = %i\n", getPasswordHash()); // GOOD
-	fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD [FALSE POSITIVE]
+	fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD
 
 	{
 		char *cpy1 = s.password;
