C++: Move the weird global property 'not sqlite_encryption_used()' from the sink definition to the source definition. The dataflow library starts tracking flow from the sources, so it's better to to rule out the entire database in the source definition than in the sink definition.

MathiasVP · MathiasVP · commit 03ba7ea85146 · 2023-03-09T14:59:13.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -102,13 +102,12 @@ predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c, Type t) {
  * A taint flow configuration for flow from a sensitive expression to a `SqliteFunctionCall` sink.
  */
 module FromSensitiveConfiguration implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
-
-  predicate isSink(DataFlow::Node sink) {
-    isSinkImpl(sink, _, _) and
-    not sqlite_encryption_used()
+  predicate isSource(DataFlow::Node source) {
+    isSourceImpl(source, _) and not sqlite_encryption_used()
   }
 
+  predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _, _) }
+
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
