Swift: Remove id() categorization due to accuracy, and repair the old bank.?account case.

geoffw0 · geoffw0 · commit 0e443da7106b · 2023-05-25T21:51:27.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -30,7 +30,11 @@ class SensitiveCredential extends SensitiveDataType, TCredential {
   override string toString() { result = "credential" }
 
   override string getRegexp() {
-    result = HeuristicNames::maybeSensitiveRegexp(_) or
+    exists(SensitiveDataClassification classification |
+      not classification = SensitiveDataClassification::id() and // not accurate enough
+      result = HeuristicNames::maybeSensitiveRegexp(classification)
+    )
+    or
     result = "(?is).*(license.?key).*"
   }
 }
@@ -54,7 +58,7 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
         // Geographic location - where the user is (or was)
         "latitude|longitude|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "credit.?card|debit.?card|salary|" +
+        "credit.?card|debit.?card|salary|bank.?account|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         "email|" +
         // Health - medical conditions, insurance status, prescription records
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -13,7 +13,6 @@ edges
 | testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data |
 | testSend.swift:54:17:54:17 | password | testSend.swift:54:13:54:25 | call to pad(_:) |
 | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
-| testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
 nodes
 | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | semmle.label | [summary] to write: return (return) in Data.init(_:) |
@@ -41,8 +40,6 @@ nodes
 | testSend.swift:66:27:66:30 | .mobileNumber | semmle.label | .mobileNumber |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:13:54:13:54 | passwd | semmle.label | passwd |
-| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:15:55:15:55 | account_no | semmle.label | account_no |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no | semmle.label | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
@@ -61,6 +58,5 @@ subpaths
 | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:65:27:65:27 | license_key | license_key |
 | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:66:27:66:30 | .mobileNumber | .mobileNumber |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:13:54:13:54 | passwd | passwd |
-| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:15:55:15:55 | account_no | account_no |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:16:55:16:55 | credit_card_no | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:20:22:20:22 | passwd | passwd |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -4,54 +4,50 @@
 | testAlamofire.swift:159:26:159:26 | email | label:email, type:private information |
 | testAlamofire.swift:171:35:171:35 | email | label:email, type:private information |
 | testAlamofire.swift:177:35:177:35 | email | label:email, type:private information |
-| testAlamofire.swift:187:48:187:48 | username | label:username, type:credential |
 | testAlamofire.swift:187:65:187:65 | password | label:password, type:credential |
-| testAlamofire.swift:195:47:195:47 | username | label:username, type:credential |
 | testAlamofire.swift:195:64:195:64 | password | label:password, type:credential |
-| testAlamofire.swift:205:45:205:45 | username | label:username, type:credential |
 | testAlamofire.swift:205:62:205:62 | password | label:password, type:credential |
-| testAlamofire.swift:213:48:213:48 | username | label:username, type:credential |
 | testAlamofire.swift:213:65:213:65 | password | label:password, type:credential |
-| testCoreData2.swift:37:16:37:16 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:38:2:38:6 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:39:2:39:6 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:39:28:39:28 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:40:2:40:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:credential |
-| testCoreData2.swift:41:2:41:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:credential |
-| testCoreData2.swift:41:29:41:29 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:42:2:42:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:credential |
-| testCoreData2.swift:43:2:43:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:credential |
-| testCoreData2.swift:43:35:43:35 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:46:22:46:22 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:47:2:47:12 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:48:2:48:12 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:48:34:48:34 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:49:2:49:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:credential |
-| testCoreData2.swift:50:2:50:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:credential |
-| testCoreData2.swift:50:35:50:35 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:51:2:51:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:credential |
-| testCoreData2.swift:52:2:52:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:credential |
-| testCoreData2.swift:52:41:52:41 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:57:3:57:7 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:57:29:57:29 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:60:4:60:8 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:60:30:60:30 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:62:4:62:8 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:62:30:62:30 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:65:3:65:7 | .myBankAccountNumber | label:myBankAccountNumber, type:credential |
-| testCoreData2.swift:65:29:65:29 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:79:18:79:28 | .bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | label:bankAccountNo2, type:credential |
-| testCoreData2.swift:82:18:82:18 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:83:18:83:18 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:84:18:84:18 | bankAccountNo2 | label:bankAccountNo2, type:credential |
-| testCoreData2.swift:85:18:85:18 | bankAccountNo2 | label:bankAccountNo2, type:credential |
-| testCoreData2.swift:87:22:87:32 | .bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:88:22:88:22 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:89:22:89:22 | bankAccountNo2 | label:bankAccountNo2, type:credential |
-| testCoreData2.swift:91:10:91:10 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:95:10:95:10 | bankAccountNo | label:bankAccountNo, type:credential |
-| testCoreData2.swift:101:10:101:10 | bankAccountNo | label:bankAccountNo, type:credential |
+| testCoreData2.swift:37:16:37:16 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:38:2:38:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:39:2:39:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:39:28:39:28 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:40:2:40:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
+| testCoreData2.swift:41:2:41:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
+| testCoreData2.swift:41:29:41:29 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:42:2:42:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
+| testCoreData2.swift:43:2:43:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
+| testCoreData2.swift:43:35:43:35 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:46:22:46:22 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:47:2:47:12 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:48:2:48:12 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:48:34:48:34 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:49:2:49:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
+| testCoreData2.swift:50:2:50:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
+| testCoreData2.swift:50:35:50:35 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:51:2:51:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
+| testCoreData2.swift:52:2:52:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
+| testCoreData2.swift:52:41:52:41 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:57:3:57:7 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:57:29:57:29 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:60:4:60:8 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:60:30:60:30 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:62:4:62:8 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:62:30:62:30 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:65:3:65:7 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
+| testCoreData2.swift:65:29:65:29 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:79:18:79:28 | .bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:80:18:80:28 | .bankAccountNo2 | label:bankAccountNo2, type:private information |
+| testCoreData2.swift:82:18:82:18 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:83:18:83:18 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:84:18:84:18 | bankAccountNo2 | label:bankAccountNo2, type:private information |
+| testCoreData2.swift:85:18:85:18 | bankAccountNo2 | label:bankAccountNo2, type:private information |
+| testCoreData2.swift:87:22:87:32 | .bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:88:22:88:22 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:89:22:89:22 | bankAccountNo2 | label:bankAccountNo2, type:private information |
+| testCoreData2.swift:91:10:91:10 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:95:10:95:10 | bankAccountNo | label:bankAccountNo, type:private information |
+| testCoreData2.swift:101:10:101:10 | bankAccountNo | label:bankAccountNo, type:private information |
 | testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
 | testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
 | testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
@@ -133,6 +129,5 @@
 | testSend.swift:66:27:66:30 | .mobileNumber | label:mobileNumber, type:private information |
 | testSend.swift:69:27:69:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
 | testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
-| testURL.swift:15:55:15:55 | account_no | label:account_no, type:credential |
 | testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
 | testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
@@ -12,7 +12,7 @@ struct URL
 func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
 	let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
 	let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
-	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD
+	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD [NOT DETECTED]
 	let d = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD
 
 	let base = URL(string: "http://example.com/"); // GOOD (not sensitive)
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
