Python: Handle _ in sensitive-data-sources

2025-12-20 10:46:30 +01:00 · 2022-06-22 10:18:59 +02:00
parent 4a844312f4
commit 4be375521f
2 changed files with 2 additions and 2 deletions
--- a/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -50,7 +50,7 @@ module HeuristicNames {
   * Gets a regular expression that identifies strings that may indicate the presence of secret
   * or trusted data.
   */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+  string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }

  /**
   * Gets a regular expression that identifies strings that may indicate the presence of
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -39,7 +39,7 @@ print(x) # $ SensitiveUse=password

 # some prefixes makes us ignore it as a source
 not_found.isSecret
-not_found.is_secret # $ SPURIOUS: SensitiveDataSource=secret
+not_found.is_secret

 def my_func(non_sensitive_name):
    x = non_sensitive_name()