From 5ed78d1a4a34b6733e4af9bf5cf46b23e08e2d26 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 6 May 2026 14:43:23 +0100
Subject: [PATCH] Shared: Fix and simplify the exclusion for 'encrypted'
 values.

---
 rust/ql/test/library-tests/sensitivedata/test.rs              | 4 ++--
 .../codeql/concepts/internal/SensitiveDataHeuristics.qll      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
index 81ef1b782ea..2fa22152c83 100644
--- a/rust/ql/test/library-tests/sensitivedata/test.rs
+++ b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -42,8 +42,8 @@ fn test_passwords(
 	sink(password_str); // $ sensitive=password
 	sink(password_confirmation); // $ sensitive=password
 	sink(profile_password); // $ sensitive=password
-	sink(unencrypted_password); // $ MISSING: sensitive=password
-	sink(unencoded_password); // $ MISSING: sensitive=password
+	sink(unencrypted_password); // $ sensitive=password
+	sink(unencoded_password); // $ sensitive=password
 	sink(pass_phrase); // $ sensitive=password
 	sink(passphrase); // $ sensitive=password
 	sink(passPhrase); // $ sensitive=password
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
index c16478902e4..80ef76c76ac 100644
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -150,7 +150,7 @@ module HeuristicNames {
    */
   string notSensitiveRegexp() {
     result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|"
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|(?<!un)en(crypt|code)|"
         + "certain|concert|secretar|wildcard|coauthor|account(ant|ab|ing|ed)|(?<!pro)file|path|([_-]|\\b)url).*"
   }