From 07d4df18b911584c2058ca1b8311253dbdc4d91c Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 6 May 2026 11:28:41 +0100
Subject: [PATCH] Shared: Add 'card.?no' sensitive data heuristic.

---
 rust/ql/test/library-tests/sensitivedata/test.rs            | 6 +++---
 .../codeql/concepts/internal/SensitiveDataHeuristics.qll    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
index 9b0581239de..a5af8efeab4 100644
--- a/rust/ql/test/library-tests/sensitivedata/test.rs
+++ b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -313,8 +313,8 @@ fn test_private_info(
 
 	sink(info.financials.my_bank_account_number.as_str()); // $ sensitive=private SPURIOUS: sensitive=id
 	sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
-	sink(info.financials.card_no.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.cardNumber.as_str()); // $ MISSING: sensitive=private
+	sink(info.financials.card_no.as_str()); // $ sensitive=private
+	sink(info.financials.cardNumber.as_str()); // $ sensitive=private
 	sink(info.financials.card_security_code.as_str()); // $ MISSING: sensitive=private
 	sink(info.financials.credit_rating); // $ sensitive=private
 	sink(info.financials.user_ccn.as_str()); // $ sensitive=private
@@ -368,7 +368,7 @@ fn test_private_info(
 	sink(info.financials.accounting);
 	sink(info.financials.unaccounted);
 	sink(info.financials.multiband);
-	sink(info.financials.wildcard_not_matched);
+	sink(info.financials.wildcard_not_matched); // $ SPURIOUS: sensitive=private
 
 	sink(ContactDetails::FavouriteColor("blue".to_string()));
 }
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
index 4271784577f..c30a834fbd5 100644
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -104,7 +104,7 @@ module HeuristicNames {
         // Geographic location - where the user is (or was)
         "latitude|longitude|nationality|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|routing.?num|"
+        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|(card|acc(ou)?nt).?(no|num|credit)|routing.?num|"
         + "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         // "e(mail|_mail)|" + // this seems too noisy