Swift: Fix unwanted flows.

geoffw0 · geoffw0 · commit 8245e6c2b971 · 2024-11-14T17:51:47.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
@@ -32,8 +32,8 @@ private class CollectionSummaries extends SummaryModelCsv {
         ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
         ";Collection;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;flatMap(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
-        ";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint",
-        ";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
+        //";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", --- disabled due to dubious results in practice
+        //";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", --- disabled due to dubious results in practice
         ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint",
diff --git a/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected b/swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected
@@ -1,17 +1,4 @@
 edges
-| rncryptor.swift:60:9:60:65 | call to String.init(_:) | rncryptor.swift:68:25:68:44 | call to getARandomPassword() | provenance |  |
-| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | provenance |  |
-| rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:60:16:60:64 | call to map(_:) | provenance |  |
-| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) | provenance |  |
-| rncryptor.swift:60:16:60:64 | call to map(_:) | rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:74:89:74:89 | myRandomPassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:75:56:75:56 | myRandomPassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance |  |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | rncryptor.swift:81:56:81:56 | myMaybePassword | provenance |  |
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | provenance |  |
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | provenance |  |
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | provenance |  |
@@ -43,15 +30,7 @@ edges
 | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:63:40:63:40 | constantStringPassword | provenance |  |
 | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:68:34:68:34 | constantStringPassword | provenance |  |
 nodes
-| rncryptor.swift:60:9:60:65 | call to String.init(_:) | semmle.label | call to String.init(_:) |
-| rncryptor.swift:60:9:60:65 | call to String.init(_:) [Collection element] | semmle.label | call to String.init(_:) [Collection element] |
-| rncryptor.swift:60:16:60:16 | ............ | semmle.label | ............ |
-| rncryptor.swift:60:16:60:64 | call to map(_:) | semmle.label | call to map(_:) |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() | semmle.label | call to getARandomPassword() |
-| rncryptor.swift:68:25:68:44 | call to getARandomPassword() [Collection element] | semmle.label | call to getARandomPassword() [Collection element] |
 | rncryptor.swift:69:24:69:24 | abc123 | semmle.label | abc123 |
-| rncryptor.swift:74:89:74:89 | myRandomPassword | semmle.label | myRandomPassword |
-| rncryptor.swift:75:56:75:56 | myRandomPassword | semmle.label | myRandomPassword |
 | rncryptor.swift:77:89:77:89 | myConstPassword | semmle.label | myConstPassword |
 | rncryptor.swift:78:56:78:56 | myConstPassword | semmle.label | myConstPassword |
 | rncryptor.swift:80:89:80:89 | myMaybePassword | semmle.label | myMaybePassword |
@@ -86,13 +65,9 @@ nodes
 | test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword |
 subpaths
 #select
-| rncryptor.swift:74:89:74:89 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:74:89:74:89 | myRandomPassword | The value '............' is used as a constant password. |
-| rncryptor.swift:75:56:75:56 | myRandomPassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:75:56:75:56 | myRandomPassword | The value '............' is used as a constant password. |
 | rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. |
 | rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. |
-| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:80:89:80:89 | myMaybePassword | The value '............' is used as a constant password. |
 | rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. |
-| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:60:16:60:16 | ............ | rncryptor.swift:81:56:81:56 | myMaybePassword | The value '............' is used as a constant password. |
 | rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. |
 | rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. |
 | rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. |
diff --git a/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected b/swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected
