Fine tuning criteria

luchua-bc · web-flow · commit ffd442a17a32 · 2020-05-12T23:24:55.000-04:00
1. Change the regex pattern from variable contains "url" to variable starts with "url"
2. Add the logging trace method to sink
diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -17,7 +17,7 @@ import PathGraph
  */
 private string getACredentialRegex() {
   result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
-  result = "(?i).*(username|url).*"
+  result = "(?i)(.*username|url).*"
 }
 
 /** The variable or concatenated string with the variable that keeps sensitive information judging by its name * */
@@ -42,7 +42,7 @@ class LoggerType extends RefType {
 predicate isSensitiveLoggingSink(DataFlow::Node sink) {
   exists(MethodAccess ma |
     ma.getMethod().getDeclaringType() instanceof LoggerType and
-    ma.getMethod().hasName("debug") and
+    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and
     sink.asExpr() = ma.getAnArgument()
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import PathGraph`
`17`	`17`	`*/`
`18`	`18`	`private string getACredentialRegex() {`
`19`	`19`	`result = "(?i).pass(wd\|word\|code\|phrase)(?!.question).*" or`
`20`		`- result = "(?i).(username\|url)."`
	`20`	`+ result = "(?i)(.username\|url)."`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`/** The variable or concatenated string with the variable that keeps sensitive information judging by its name * */`
`@@ -42,7 +42,7 @@ class LoggerType extends RefType {`
`42`	`42`	`predicate isSensitiveLoggingSink(DataFlow::Node sink) {`
`43`	`43`	`exists(MethodAccess ma \|`
`44`	`44`	`ma.getMethod().getDeclaringType() instanceof LoggerType and`
`45`		`- ma.getMethod().hasName("debug") and`
	`45`	`+ (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and`
`46`	`46`	`sink.asExpr() = ma.getAnArgument()`
`47`	`47`	`)`
`48`	`48`	`}`