diff --git a/ql/src/Security/CWE-798/HardcodedCredentials.ql b/ql/src/Security/CWE-798/HardcodedCredentials.ql index aadf1aebc..88625148c 100644 --- a/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -4,7 +4,7 @@ * to gain unauthorized access. * @kind problem * @problem.severity warning - * @precision high + * @precision medium * @id go/hardcoded-credentials * @tags security * external/cwe/cwe-259 diff --git a/ql/src/semmle/go/security/SensitiveActions.qll b/ql/src/semmle/go/security/SensitiveActions.qll index b842365c3..e3d84f84b 100644 --- a/ql/src/semmle/go/security/SensitiveActions.qll +++ b/ql/src/semmle/go/security/SensitiveActions.qll @@ -28,7 +28,6 @@ module HeuristicNames { * user names or other account information. */ string maybeAccountInfo() { - result = "(?is).*acc(ou)?nt.*" or result = "(?is).*(puid|username|userid).*" } @@ -41,12 +40,6 @@ module HeuristicNames { result = "(?is).*(auth(entication|ori[sz]ation)?)key.*" } - /** - * Gets a regular expression that identifies strings that may indicate the presence of - * a certificate. - */ - string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" } - /** * Gets a regular expression that identifies strings that may indicate the presence * of sensitive data, with `classification` describing the kind of sensitive data involved. @@ -57,8 +50,6 @@ module HeuristicNames { result = maybeAccountInfo() and classification = SensitiveExpr::id() or result = maybePassword() and classification = SensitiveExpr::password() - or - result = maybeCertificate() and classification = SensitiveExpr::certificate() } /** diff --git a/ql/test/query-tests/Security/CWE-798/main.go b/ql/test/query-tests/Security/CWE-798/main.go index 41bbb26a3..88cee2f32 100644 --- a/ql/test/query-tests/Security/CWE-798/main.go +++ b/ql/test/query-tests/Security/CWE-798/main.go @@ -54,4 +54,8 @@ func main() { i.password = testPassword // OK secretKey = "secret" // OK i.password = "--- redacted ---" // OK + certsDir := "/certs" // OK + fmt.Println(certsDir) + accountParameter := "ACCOUNT" // OK + fmt.Println(accountParameter) }