use isTestFile from ClassifyFiles module file instead previous where condition, update tests accordingly

2026-04-25 16:55:19 +02:00 · 2024-06-07 06:11:48 +02:00
parent e4ffdb848e
commit 5a69bbf6b0
3 changed files with 10 additions and 13 deletions
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -16,6 +16,7 @@
 import javascript
 import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
 import DataFlow::PathGraph
+import semmle.javascript.filters.ClassifyFiles

 bindingset[s]
 predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
@@ -23,11 +24,7 @@ predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
 where
  cfg.hasFlowPath(source, sink) and
-  not sink.getNode()
-      .getFile()
-      .getAbsolutePath()
-      .toLowerCase()
-      .matches(["%stest%s", "%sdemo%s", "%sexample%s", "%ssample%s"]) and
+  not isTestFile(sink.getNode().getFile()) and
  // use source value in message if it's available
  if source.getNode().asExpr() instanceof ConstantString
  then
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -332,12 +332,12 @@ nodes
 | HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" |
 | HardcodedCredentials.js:403:27:403:35 | secretKey |
 | HardcodedCredentials.js:403:27:403:35 | secretKey |
-| HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
-| HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
-| HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -512,8 +512,8 @@ edges
 | HardcodedCredentials.js:401:9:401:43 | secretKey | HardcodedCredentials.js:403:27:403:35 | secretKey |
 | HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
 | HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
-| HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
--- a/javascript/ql/test/query-tests/Security/CWE-798/tests/HardcodedCredentialsDemo.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/tests/HardcodedCredentialsDemo.js