Make HardcodedCredentials query less noisy.

Considering "cert" and "account" to be sensitive leads to a massive number of false positives, especially on cockroach and kubernetes.
github · Dec 10, 2019 · 46c4670 · 46c4670
1 parent eb639c6
commit 46c4670
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 9 deletions.
diff --git a/ql/src/semmle/go/security/SensitiveActions.qll b/ql/src/semmle/go/security/SensitiveActions.qll
@@ -28,7 +28,6 @@ module HeuristicNames {
    * user names or other account information.
    */
   string maybeAccountInfo() {
-    result = "(?is).*acc(ou)?nt.*" or
     result = "(?is).*(puid|username|userid).*"
   }
 
@@ -41,12 +40,6 @@ module HeuristicNames {
     result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
   }
 
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a certificate.
-   */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
-
   /**
    * Gets a regular expression that identifies strings that may indicate the presence
    * of sensitive data, with `classification` describing the kind of sensitive data involved.
@@ -57,8 +50,6 @@ module HeuristicNames {
     result = maybeAccountInfo() and classification = SensitiveExpr::id()
     or
     result = maybePassword() and classification = SensitiveExpr::password()
-    or
-    result = maybeCertificate() and classification = SensitiveExpr::certificate()
   }
 
   /**

diff --git a/ql/test/query-tests/Security/CWE-798/main.go b/ql/test/query-tests/Security/CWE-798/main.go
@@ -54,4 +54,8 @@ func main() {
 	i.password = testPassword       // OK
 	secretKey = "secret"            // OK
 	i.password = "--- redacted ---" // OK
+	certsDir := "/certs"            // OK
+	fmt.Println(certsDir)
+	accountParameter := "ACCOUNT"	// OK
+	fmt.Println(accountParameter)
 }