Python: Handle _ in sensitive-data-sources

RasmusWL · RasmusWL · commit 4be375521f79 · 2022-06-22T11:05:14.000+02:00
diff --git a/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -50,7 +50,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of secret
    * or trusted data.
    */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+  string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -39,7 +39,7 @@ def encrypt_password(pwd):
 
 # some prefixes makes us ignore it as a source
 not_found.isSecret
-not_found.is_secret # $ SPURIOUS: SensitiveDataSource=secret
+not_found.is_secret
 
 def my_func(non_sensitive_name):
     x = non_sensitive_name()
