Merge pull request #19507 from michaelnebel/removehardcodedpassword

Exclude some queries from query suites by lowering their precision.
2026-04-29 18:55:14 +02:00 · 2025-05-21 11:13:14 +02:00
parent 789e881254 dabeddb62d
commit 2952c0d2b4
41 changed files with 50 additions and 36 deletions
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -38,7 +38,6 @@ ql/csharp/ql/src/Concurrency/SynchSetUnsynchGet.ql
 ql/csharp/ql/src/Concurrency/UnsafeLazyInitialization.ql
 ql/csharp/ql/src/Concurrency/UnsynchronizedStaticAccess.ql
 ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
 ql/csharp/ql/src/Diagnostics/CompilerError.ql
 ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
@@ -146,8 +145,6 @@ ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
 ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -1,5 +1,4 @@
 ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Diagnostics/CompilerError.ql
 ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
 ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -49,8 +48,6 @@ ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
 ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -26,6 +26,7 @@ ql/csharp/ql/src/Bad Practices/Naming Conventions/DefaultControlNames.ql
 ql/csharp/ql/src/Bad Practices/Naming Conventions/VariableNameTooShort.ql
 ql/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
 ql/csharp/ql/src/Bad Practices/UseOfSystemOutputStream.ql
+ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Dead Code/DeadRefTypes.ql
 ql/csharp/ql/src/Dead Code/NonAssignedFields.ql
 ql/csharp/ql/src/Dead Code/UnusedField.ql
@@ -89,6 +90,8 @@ ql/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
 ql/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
 ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
 ql/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
 ql/csharp/ql/src/Useless code/PointlessForwardingMethod.ql
 ql/csharp/ql/src/definitions.ql
--- a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 7.5
- * @precision medium
+ * @precision low
 * @id cs/password-in-configuration
 * @tags security
 *       external/cwe/cwe-013
--- a/Features/CWE-798/HardcodedConnectionString.ql
+++ b/Features/CWE-798/HardcodedConnectionString.ql
@@ -4,7 +4,7 @@
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
- * @precision medium
+ * @precision low
 * @id cs/hardcoded-connection-string-credentials
 * @tags security
 *       external/cwe/cwe-259
--- a/Features/CWE-798/HardcodedCredentials.ql
+++ b/Features/CWE-798/HardcodedCredentials.ql
@@ -4,7 +4,7 @@
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.8
- * @precision medium
+ * @precision low
 * @id cs/hardcoded-credentials
 * @tags security
 *       external/cwe/cwe-259
--- a/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
+++ b/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.