Swift: Add additional taint steps into fields.

geoffw0 · geoffw0 · commit ffa279e87b1a · 2023-03-09T17:17:42.000Z
ed
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
@@ -122,14 +122,21 @@ private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStora
 
 /**
  * An additional taint step for cleartext database storage vulnerabilities.
- * Needed until we have proper content flow through arrays.
  */
 private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
   override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // needed until we have proper content flow through arrays.
     exists(ArrayExpr arr |
       nodeFrom.asExpr() = arr.getAnElement() and
       nodeTo.asExpr() = arr
     )
+    or
+    // if an object is sensitive, its fields are always sensitive
+    // (this is needed because the sensitive data sources are in a sense
+    //  approximate; for example we might identify `passwordBox` as a source,
+    //  whereas it is more accurate to say that `passwordBox.textField` is the
+    //  true source).
+    nodeTo.asExpr().(LookupExpr).getBase() = nodeFrom.asExpr()
   }
 }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -28,13 +28,56 @@ edges
 | testCoreData2.swift:62:30:62:30 | bankAccountNo :  | testCoreData2.swift:62:4:62:4 | [post] obj [myBankAccountNumber] :  |
 | testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] :  | testCoreData2.swift:65:3:65:3 | [post] obj |
 | testCoreData2.swift:65:29:65:29 | bankAccountNo :  | testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] :  |
+| testCoreData2.swift:70:9:70:9 | self :  | file://:0:0:0:0 | .value :  |
+| testCoreData2.swift:71:9:71:9 | self :  | file://:0:0:0:0 | .value2 :  |
 | testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] :  | testCoreData2.swift:79:2:79:2 | [post] dbObj |
 | testCoreData2.swift:79:18:79:28 | .bankAccountNo :  | testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] :  |
 | testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] :  | testCoreData2.swift:80:2:80:2 | [post] dbObj |
 | testCoreData2.swift:80:18:80:28 | ...! :  | testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] :  |
 | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 :  | testCoreData2.swift:80:18:80:28 | ...! :  |
+| testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] :  | testCoreData2.swift:82:2:82:2 | [post] dbObj |
+| testCoreData2.swift:82:18:82:18 | bankAccountNo :  | testCoreData2.swift:70:9:70:9 | self :  |
+| testCoreData2.swift:82:18:82:18 | bankAccountNo :  | testCoreData2.swift:82:18:82:32 | .value :  |
+| testCoreData2.swift:82:18:82:32 | .value :  | testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] :  |
+| testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] :  | testCoreData2.swift:83:2:83:2 | [post] dbObj |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo :  | testCoreData2.swift:71:9:71:9 | self :  |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo :  | testCoreData2.swift:83:18:83:32 | ...! :  |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo :  | testCoreData2.swift:83:18:83:32 | .value2 :  |
+| testCoreData2.swift:83:18:83:32 | ...! :  | testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] :  |
+| testCoreData2.swift:83:18:83:32 | .value2 :  | testCoreData2.swift:83:18:83:32 | ...! :  |
+| testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] :  | testCoreData2.swift:84:2:84:2 | [post] dbObj |
+| testCoreData2.swift:84:18:84:18 | ...! :  | testCoreData2.swift:70:9:70:9 | self :  |
+| testCoreData2.swift:84:18:84:18 | ...! :  | testCoreData2.swift:84:18:84:33 | .value :  |
+| testCoreData2.swift:84:18:84:18 | bankAccountNo2 :  | testCoreData2.swift:84:18:84:18 | ...! :  |
+| testCoreData2.swift:84:18:84:18 | bankAccountNo2 :  | testCoreData2.swift:84:18:84:33 | .value :  |
+| testCoreData2.swift:84:18:84:33 | .value :  | testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] :  |
+| testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] :  | testCoreData2.swift:85:2:85:2 | [post] dbObj |
+| testCoreData2.swift:85:18:85:18 | ...! :  | testCoreData2.swift:71:9:71:9 | self :  |
+| testCoreData2.swift:85:18:85:18 | ...! :  | testCoreData2.swift:85:18:85:33 | .value2 :  |
+| testCoreData2.swift:85:18:85:18 | bankAccountNo2 :  | testCoreData2.swift:85:18:85:18 | ...! :  |
+| testCoreData2.swift:85:18:85:18 | bankAccountNo2 :  | testCoreData2.swift:85:18:85:33 | ...! :  |
+| testCoreData2.swift:85:18:85:33 | ...! :  | testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] :  |
+| testCoreData2.swift:85:18:85:33 | .value2 :  | testCoreData2.swift:85:18:85:33 | ...! :  |
 | testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] :  | testCoreData2.swift:87:2:87:10 | [post] ...? |
 | testCoreData2.swift:87:22:87:32 | .bankAccountNo :  | testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] :  |
+| testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] :  | testCoreData2.swift:88:2:88:10 | [post] ...? |
+| testCoreData2.swift:88:22:88:22 | bankAccountNo :  | testCoreData2.swift:70:9:70:9 | self :  |
+| testCoreData2.swift:88:22:88:22 | bankAccountNo :  | testCoreData2.swift:88:22:88:36 | .value :  |
+| testCoreData2.swift:88:22:88:36 | .value :  | testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] :  |
+| testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] :  | testCoreData2.swift:89:2:89:10 | [post] ...? |
+| testCoreData2.swift:89:22:89:22 | ...! :  | testCoreData2.swift:71:9:71:9 | self :  |
+| testCoreData2.swift:89:22:89:22 | ...! :  | testCoreData2.swift:89:22:89:37 | .value2 :  |
+| testCoreData2.swift:89:22:89:22 | bankAccountNo2 :  | testCoreData2.swift:89:22:89:22 | ...! :  |
+| testCoreData2.swift:89:22:89:22 | bankAccountNo2 :  | testCoreData2.swift:89:22:89:37 | ...! :  |
+| testCoreData2.swift:89:22:89:37 | ...! :  | testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] :  |
+| testCoreData2.swift:89:22:89:37 | .value2 :  | testCoreData2.swift:89:22:89:37 | ...! :  |
+| testCoreData2.swift:91:10:91:10 | bankAccountNo :  | testCoreData2.swift:92:10:92:10 | a :  |
+| testCoreData2.swift:91:10:91:10 | bankAccountNo :  | testCoreData2.swift:93:18:93:18 | b :  |
+| testCoreData2.swift:92:10:92:10 | a :  | testCoreData2.swift:70:9:70:9 | self :  |
+| testCoreData2.swift:92:10:92:10 | a :  | testCoreData2.swift:92:10:92:12 | .value :  |
+| testCoreData2.swift:92:10:92:12 | .value :  | testCoreData2.swift:93:18:93:18 | b :  |
+| testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] :  | testCoreData2.swift:93:2:93:2 | [post] dbObj |
+| testCoreData2.swift:93:18:93:18 | b :  | testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] :  |
 | testCoreData.swift:18:19:18:26 | value :  | testCoreData.swift:19:12:19:12 | value |
 | testCoreData.swift:31:3:31:3 | newValue :  | testCoreData.swift:32:13:32:13 | newValue |
 | testCoreData.swift:61:25:61:25 | password :  | testCoreData.swift:18:19:18:26 | value :  |
@@ -111,6 +154,8 @@ edges
 | testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  |
 | testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:59:2:59:2 | [post] g [data] :  |
 nodes
+| file://:0:0:0:0 | .value2 :  | semmle.label | .value2 :  |
+| file://:0:0:0:0 | .value :  | semmle.label | .value :  |
 | file://:0:0:0:0 | [post] self [data] :  | semmle.label | [post] self [data] :  |
 | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | semmle.label | [post] self [notStoredBankAccountNumber] :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
@@ -152,16 +197,54 @@ nodes
 | testCoreData2.swift:65:3:65:3 | [post] obj | semmle.label | [post] obj |
 | testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] :  | semmle.label | [post] obj [myBankAccountNumber] :  |
 | testCoreData2.swift:65:29:65:29 | bankAccountNo :  | semmle.label | bankAccountNo :  |
+| testCoreData2.swift:70:9:70:9 | self :  | semmle.label | self :  |
+| testCoreData2.swift:71:9:71:9 | self :  | semmle.label | self :  |
 | testCoreData2.swift:79:2:79:2 | [post] dbObj | semmle.label | [post] dbObj |
 | testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
 | testCoreData2.swift:79:18:79:28 | .bankAccountNo :  | semmle.label | .bankAccountNo :  |
 | testCoreData2.swift:80:2:80:2 | [post] dbObj | semmle.label | [post] dbObj |
 | testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
 | testCoreData2.swift:80:18:80:28 | ...! :  | semmle.label | ...! :  |
 | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 :  | semmle.label | .bankAccountNo2 :  |
+| testCoreData2.swift:82:2:82:2 | [post] dbObj | semmle.label | [post] dbObj |
+| testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
+| testCoreData2.swift:82:18:82:18 | bankAccountNo :  | semmle.label | bankAccountNo :  |
+| testCoreData2.swift:82:18:82:32 | .value :  | semmle.label | .value :  |
+| testCoreData2.swift:83:2:83:2 | [post] dbObj | semmle.label | [post] dbObj |
+| testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo :  | semmle.label | bankAccountNo :  |
+| testCoreData2.swift:83:18:83:32 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:83:18:83:32 | .value2 :  | semmle.label | .value2 :  |
+| testCoreData2.swift:84:2:84:2 | [post] dbObj | semmle.label | [post] dbObj |
+| testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
+| testCoreData2.swift:84:18:84:18 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:84:18:84:18 | bankAccountNo2 :  | semmle.label | bankAccountNo2 :  |
+| testCoreData2.swift:84:18:84:33 | .value :  | semmle.label | .value :  |
+| testCoreData2.swift:85:2:85:2 | [post] dbObj | semmle.label | [post] dbObj |
+| testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
+| testCoreData2.swift:85:18:85:18 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:85:18:85:18 | bankAccountNo2 :  | semmle.label | bankAccountNo2 :  |
+| testCoreData2.swift:85:18:85:33 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:85:18:85:33 | .value2 :  | semmle.label | .value2 :  |
 | testCoreData2.swift:87:2:87:10 | [post] ...? | semmle.label | [post] ...? |
 | testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] :  | semmle.label | [post] ...? [myValue] :  |
 | testCoreData2.swift:87:22:87:32 | .bankAccountNo :  | semmle.label | .bankAccountNo :  |
+| testCoreData2.swift:88:2:88:10 | [post] ...? | semmle.label | [post] ...? |
+| testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] :  | semmle.label | [post] ...? [myValue] :  |
+| testCoreData2.swift:88:22:88:22 | bankAccountNo :  | semmle.label | bankAccountNo :  |
+| testCoreData2.swift:88:22:88:36 | .value :  | semmle.label | .value :  |
+| testCoreData2.swift:89:2:89:10 | [post] ...? | semmle.label | [post] ...? |
+| testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] :  | semmle.label | [post] ...? [myValue] :  |
+| testCoreData2.swift:89:22:89:22 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:89:22:89:22 | bankAccountNo2 :  | semmle.label | bankAccountNo2 :  |
+| testCoreData2.swift:89:22:89:37 | ...! :  | semmle.label | ...! :  |
+| testCoreData2.swift:89:22:89:37 | .value2 :  | semmle.label | .value2 :  |
+| testCoreData2.swift:91:10:91:10 | bankAccountNo :  | semmle.label | bankAccountNo :  |
+| testCoreData2.swift:92:10:92:10 | a :  | semmle.label | a :  |
+| testCoreData2.swift:92:10:92:12 | .value :  | semmle.label | .value :  |
+| testCoreData2.swift:93:2:93:2 | [post] dbObj | semmle.label | [post] dbObj |
+| testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] :  | semmle.label | [post] dbObj [myValue] :  |
+| testCoreData2.swift:93:18:93:18 | b :  | semmle.label | b :  |
 | testCoreData.swift:18:19:18:26 | value :  | semmle.label | value :  |
 | testCoreData.swift:19:12:19:12 | value | semmle.label | value |
 | testCoreData.swift:31:3:31:3 | newValue :  | semmle.label | newValue :  |
@@ -302,6 +385,13 @@ nodes
 subpaths
 | testCoreData2.swift:43:35:43:35 | bankAccountNo :  | testCoreData2.swift:23:13:23:13 | value :  | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] :  |
 | testCoreData2.swift:52:41:52:41 | bankAccountNo :  | testCoreData2.swift:23:13:23:13 | value :  | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] :  |
+| testCoreData2.swift:82:18:82:18 | bankAccountNo :  | testCoreData2.swift:70:9:70:9 | self :  | file://:0:0:0:0 | .value :  | testCoreData2.swift:82:18:82:32 | .value :  |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo :  | testCoreData2.swift:71:9:71:9 | self :  | file://:0:0:0:0 | .value2 :  | testCoreData2.swift:83:18:83:32 | .value2 :  |
+| testCoreData2.swift:84:18:84:18 | ...! :  | testCoreData2.swift:70:9:70:9 | self :  | file://:0:0:0:0 | .value :  | testCoreData2.swift:84:18:84:33 | .value :  |
+| testCoreData2.swift:85:18:85:18 | ...! :  | testCoreData2.swift:71:9:71:9 | self :  | file://:0:0:0:0 | .value2 :  | testCoreData2.swift:85:18:85:33 | .value2 :  |
+| testCoreData2.swift:88:22:88:22 | bankAccountNo :  | testCoreData2.swift:70:9:70:9 | self :  | file://:0:0:0:0 | .value :  | testCoreData2.swift:88:22:88:36 | .value :  |
+| testCoreData2.swift:89:22:89:22 | ...! :  | testCoreData2.swift:71:9:71:9 | self :  | file://:0:0:0:0 | .value2 :  | testCoreData2.swift:89:22:89:37 | .value2 :  |
+| testCoreData2.swift:92:10:92:10 | a :  | testCoreData2.swift:70:9:70:9 | self :  | file://:0:0:0:0 | .value :  | testCoreData2.swift:92:10:92:12 | .value :  |
 | testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:34:2:34:2 | [post] a [data] :  |
 | testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:42:2:42:2 | [post] c [data] :  |
 | testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:52:2:52:3 | [post] ...! [data] :  |
@@ -321,7 +411,14 @@ subpaths
 | testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo :  | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo :  | bankAccountNo |
 | testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo :  | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo :  | .bankAccountNo |
 | testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 :  | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 :  | .bankAccountNo2 |
+| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo :  | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo :  | bankAccountNo |
+| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo :  | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo :  | bankAccountNo |
+| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 :  | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 :  | bankAccountNo2 |
+| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 :  | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 :  | bankAccountNo2 |
 | testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo :  | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo :  | .bankAccountNo |
+| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo :  | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo :  | bankAccountNo |
+| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 :  | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 :  | bankAccountNo2 |
+| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo :  | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo :  | bankAccountNo |
 | testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password :  | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password :  | password |
 | testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password :  | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password :  | password |
 | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift b/swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift
@@ -79,16 +79,16 @@ func testCoreData2_3(dbObj: MyManagedObject2, maybeObj: MyManagedObject2?, conta
 	dbObj.myValue = container.bankAccountNo // BAD
 	dbObj.myValue = container.bankAccountNo2 // BAD
 
-	dbObj.myValue = bankAccountNo.value // BAD [NOT DETECTED]
-	dbObj.myValue = bankAccountNo.value2 // BAD [NOT DETECTED]
-	dbObj.myValue = bankAccountNo2.value // BAD [NOT DETECTED]
-	dbObj.myValue = bankAccountNo2.value2 // BAD [NOT DETECTED]
+	dbObj.myValue = bankAccountNo.value // BAD
+	dbObj.myValue = bankAccountNo.value2 // BAD
+	dbObj.myValue = bankAccountNo2.value // BAD
+	dbObj.myValue = bankAccountNo2.value2 // BAD
 
 	maybeObj?.myValue = container.bankAccountNo // BAD
-	maybeObj?.myValue = bankAccountNo.value // BAD [NOT DETECTED]
-	maybeObj?.myValue = bankAccountNo2.value2 // BAD [NOT DETECTED]
+	maybeObj?.myValue = bankAccountNo.value // BAD
+	maybeObj?.myValue = bankAccountNo2.value2 // BAD
 
 	var a = bankAccountNo // sensitive
 	var b = a.value
-	dbObj.myValue = b // BAD [NOT DETECTED]
+	dbObj.myValue = b // BAD
 }
