From 51e2a5418b7558c6ef86019afa68c37242b85cd6 Mon Sep 17 00:00:00 2001 From: MarkLee131 Date: Wed, 29 Apr 2026 20:56:36 +0800 Subject: [PATCH] Java: move EncryptedSensitiveMethodCall into Sanitizers.qll Address review feedback by moving the shared method-name-based encryption/hash/digest check into Sanitizers.qll, and reference it from both CleartextStorageQuery.qll and SensitiveLoggingQuery.qll instead of duplicating the definition. --- .../code/java/security/CleartextStorageQuery.qll | 12 +----------- java/ql/lib/semmle/code/java/security/Sanitizers.qll | 11 +++++++++++ .../code/java/security/SensitiveLoggingQuery.qll | 7 +------ 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll index 21d82bef657..83f51f7eedf 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.security.Sanitizers private import semmle.code.java.security.SensitiveActions /** A sink representing persistent storage that saves data in clear text. */ @@ -76,17 +77,6 @@ private class DefaultCleartextStorageSanitizer extends CleartextStorageSanitizer } } -/** - * Method call for encrypting sensitive information. As there are various implementations of - * encryption (reversible and non-reversible) from both JDK and third parties, this class simply - * checks method name to take a best guess to reduce false positives. - */ -private class EncryptedSensitiveMethodCall extends MethodCall { - EncryptedSensitiveMethodCall() { - this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"]) - } -} - /** Flow configuration for encryption methods flowing to inputs of persistent storage. */ private module EncryptedValueFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof EncryptedSensitiveMethodCall } diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll index e00071da2d8..0c5f9b98070 100644 --- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll +++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll @@ -63,3 +63,14 @@ class RegexpCheckBarrier extends DataFlow::Node { exists(RegexMatch rm | rm instanceof Annotation | this.asExpr() = rm.getString()) } } + +/** + * A method call for encrypting, hashing, or digesting sensitive information. As there are various + * implementations of encryption (reversible and non-reversible) from both JDK and third parties, + * this class simply checks the method name to take a best guess to reduce false positives. + */ +class EncryptedSensitiveMethodCall extends MethodCall { + EncryptedSensitiveMethodCall() { + this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"]) + } +} diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index 5f11ae0d214..f35cae0e67f 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -125,12 +125,7 @@ private class DefaultSensitiveLoggerBarrier extends SensitiveLoggerBarrier { * This is consistent with the treatment of encryption in `CleartextStorageQuery.qll` (CWE-312). */ private class EncryptionBarrier extends SensitiveLoggerBarrier { - EncryptionBarrier() { - exists(MethodCall mc | - this.asExpr() = mc and - mc.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"]) - ) - } + EncryptionBarrier() { this.asExpr() instanceof EncryptedSensitiveMethodCall } } /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */