From 46c4670796ad0fad9507d3289b56db844ad12bbf Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Tue, 10 Dec 2019 14:14:36 +0000 Subject: [PATCH 1/2] Make HardcodedCredentials query less noisy. Considering "cert" and "account" to be sensitive leads to a massive number of false positives, especially on cockroach and kubernetes. --- ql/src/semmle/go/security/SensitiveActions.qll | 9 --------- ql/test/query-tests/Security/CWE-798/main.go | 4 ++++ 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/ql/src/semmle/go/security/SensitiveActions.qll b/ql/src/semmle/go/security/SensitiveActions.qll index b842365c3..e3d84f84b 100644 --- a/ql/src/semmle/go/security/SensitiveActions.qll +++ b/ql/src/semmle/go/security/SensitiveActions.qll @@ -28,7 +28,6 @@ module HeuristicNames { * user names or other account information. */ string maybeAccountInfo() { - result = "(?is).*acc(ou)?nt.*" or result = "(?is).*(puid|username|userid).*" } @@ -41,12 +40,6 @@ module HeuristicNames { result = "(?is).*(auth(entication|ori[sz]ation)?)key.*" } - /** - * Gets a regular expression that identifies strings that may indicate the presence of - * a certificate. - */ - string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" } - /** * Gets a regular expression that identifies strings that may indicate the presence * of sensitive data, with `classification` describing the kind of sensitive data involved. @@ -57,8 +50,6 @@ module HeuristicNames { result = maybeAccountInfo() and classification = SensitiveExpr::id() or result = maybePassword() and classification = SensitiveExpr::password() - or - result = maybeCertificate() and classification = SensitiveExpr::certificate() } /** diff --git a/ql/test/query-tests/Security/CWE-798/main.go b/ql/test/query-tests/Security/CWE-798/main.go index 41bbb26a3..88cee2f32 100644 --- a/ql/test/query-tests/Security/CWE-798/main.go +++ b/ql/test/query-tests/Security/CWE-798/main.go @@ -54,4 +54,8 @@ func main() { i.password = testPassword // OK secretKey = "secret" // OK i.password = "--- redacted ---" // OK + certsDir := "/certs" // OK + fmt.Println(certsDir) + accountParameter := "ACCOUNT" // OK + fmt.Println(accountParameter) } From 75d78b3f621aa9345c0e92ab39f5de4cff1707df Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Tue, 10 Dec 2019 16:12:48 +0000 Subject: [PATCH 2/2] Reduce precision of `HardcodedCredentials` to "medium". --- ql/src/Security/CWE-798/HardcodedCredentials.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/Security/CWE-798/HardcodedCredentials.ql b/ql/src/Security/CWE-798/HardcodedCredentials.ql index aadf1aebc..88625148c 100644 --- a/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -4,7 +4,7 @@ * to gain unauthorized access. * @kind problem * @problem.severity warning - * @precision high + * @precision medium * @id go/hardcoded-credentials * @tags security * external/cwe/cwe-259