Java: move EncryptedSensitiveMethodCall into Sanitizers.qll

Address review feedback by moving the shared method-name-based encryption/hash/digest check into Sanitizers.qll, and reference it from both CleartextStorageQuery.qll and SensitiveLoggingQuery.qll instead of duplicating the definition.
2026-05-14 11:19:27 +02:00 · 2026-04-29 20:56:36 +08:00
parent 75162bb9eb
commit 51e2a5418b
3 changed files with 13 additions and 17 deletions
--- a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
@@ -2,6 +2,7 @@

 import java
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 private import semmle.code.java.security.SensitiveActions

 /** A sink representing persistent storage that saves data in clear text. */
@@ -76,17 +77,6 @@ private class DefaultCleartextStorageSanitizer extends CleartextStorageSanitizer
  }
 }

-/**
- * Method call for encrypting sensitive information. As there are various implementations of
- * encryption (reversible and non-reversible) from both JDK and third parties, this class simply
- * checks method name to take a best guess to reduce false positives.
- */
-private class EncryptedSensitiveMethodCall extends MethodCall {
-  EncryptedSensitiveMethodCall() {
-    this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
-  }
-}
-
 /** Flow configuration for encryption methods flowing to inputs of persistent storage. */
 private module EncryptedValueFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof EncryptedSensitiveMethodCall }
--- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll
+++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -63,3 +63,14 @@ class RegexpCheckBarrier extends DataFlow::Node {
    exists(RegexMatch rm | rm instanceof Annotation | this.asExpr() = rm.getString())
  }
 }
+
+/**
+ * A method call for encrypting, hashing, or digesting sensitive information. As there are various
+ * implementations of encryption (reversible and non-reversible) from both JDK and third parties,
+ * this class simply checks the method name to take a best guess to reduce false positives.
+ */
+class EncryptedSensitiveMethodCall extends MethodCall {
+  EncryptedSensitiveMethodCall() {
+    this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -125,12 +125,7 @@ private class DefaultSensitiveLoggerBarrier extends SensitiveLoggerBarrier {
 * This is consistent with the treatment of encryption in `CleartextStorageQuery.qll` (CWE-312).
 */
 private class EncryptionBarrier extends SensitiveLoggerBarrier {
-  EncryptionBarrier() {
-    exists(MethodCall mc |
-      this.asExpr() = mc and
-      mc.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
-    )
-  }
+  EncryptionBarrier() { this.asExpr() instanceof EncryptedSensitiveMethodCall }
 }

 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */